Episode 193

Posted on Thursday, Apr 13, 2023
The release of Ubuntu 23.04 Lunar Lobster is nigh so we take a look at some of the things the security team has been doing along the way, plus it’s our 6000th USN so we look back at the last 19 years of USNs whilst covering security updates for the Linux kernel, Emacs, Irssi, Sudo, Firefox and more.

Show Notes

Overview

The release of Ubuntu 23.04 Lunar Lobster is nigh so we take a look at some of the things the security team has been doing along the way, plus it’s our 6000th USN so we look back at the last 19 years of USNs whilst covering security updates for the Linux kernel, Emacs, Irssi, Sudo, Firefox and more.

This week in Ubuntu Security Updates

109 unique CVEs addressed

[USN-5998-1] Apache Log4j vulnerabilities (01:00)

[USN-6000-1] Linux kernel (BlueField) vulnerabilities (01:37)

[USN-6001-1] Linux kernel (AWS) vulnerabilities (04:18)

[USN-6004-1] Linux kernel (Intel IoTG) vulnerabilities (04:42)

[USN-6007-1] Linux kernel (GCP) vulnerabilities (04:51)

[USN-6009-1] Linux kernel (GCP) vulnerabilities

[USN-6003-1] Emacs vulnerability (05:03)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Similar to [USN-5955-1] Emacs vulnerability [00:50]‚Äč from Episode 191 - again if used org-mode to output to a latex document which included other documents that had shell metacharacters in their filenames, could get code execution as the user running Emacs

[USN-6002-1] Irssi vulnerability (05:45)

  • 1 CVEs addressed in Kinetic (22.10)
  • IRC client - UAF when outputting a line which was not formatted whilst also outputting a line that was formatted - only likely to be able to be triggered by various scripts - was discovered after a recent update to GLib 2.75 which stopped using it’s own internal memory allocator and instead switched to regular malloc() / free() - would then trigger the memory checking of libc which detected this

[USN-6005-1] Sudo vulnerabilities (07:25)

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Failed to escape control characters in both the log output and sudoreplay (can be used to list or play back the commands executed in a sudo session) - and so could allow an attacker to get code execution as the user running sudoreplay by injecting terminal control characters

[USN-6010-1] Firefox vulnerabilities (08:45)

[USN-6011-1] Json-smart vulnerabilities (10:00)

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Small and fast JSON parser for Java - two similar issues, one in handling of unclosed quotes and the other in unclosed brackets - both could allow an attacker to DoS the application through crafted input

Goings on in Ubuntu Security Community

Preparing for the release of Ubuntu 23.04 (Lunar Lobster) (10:36)

  • Team has been busy finishing various items from the development roadmap for this cycle:
    • SBOM specification
    • improvements to how we distribute OVAL data
    • evaluation of dbus-broker integration with AppArmor to possibly replace dbus-daemon in a future Ubuntu release
    • Testing unprivileged user namespace restrictions via AppArmor
    • io_uring mediation support in AppArmor
    • Working with the snapd team on integrating dm-verity within snapd for improved integrity of snaps
    • Usual maintenance items as well:
      • all the normal CVE patching
      • a heap of MIR security reviews
      • snap store reviews
      • AppArmor upstream project maintenance
    • and more

Ubuntu Security Podcast on 2 weeks break

  • Alex on leave next week and the following week is the 23.10 start-of-cycle product roadmap sprint in Prague
  • Expect the podcast to be back the week ending 5th May

Get in contact