Episode 193

Show Notes

Overview

The release of Ubuntu 23.04 Lunar Lobster is nigh so we take a look at some of the things the security team has been doing along the way, plus it’s our 6000th USN so we look back at the last 19 years of USNs whilst covering security updates for the Linux kernel, Emacs, Irssi, Sudo, Firefox and more.

This week in Ubuntu Security Updates

109 unique CVEs addressed

[USN-5998-1] Apache Log4j vulnerabilities (01:00)

• 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-23307
  • CVE-2022-23305
  • CVE-2022-23302
  • CVE-2019-17571
• A bunch of older vulnerabilities, some discovered in the wake of log4shell but not deemed as critical

[USN-6000-1] Linux kernel (BlueField) vulnerabilities (01:37)

• 23 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-28328
  • CVE-2023-26607
  • CVE-2023-23455
  • CVE-2023-23454
  • CVE-2023-20938
  • CVE-2023-1382
  • CVE-2023-0394
  • CVE-2023-0266
  • CVE-2023-0045
  • CVE-2022-47929
  • CVE-2022-47520
  • CVE-2022-42329
  • CVE-2022-42328
  • CVE-2022-4139
  • CVE-2022-41218
  • CVE-2022-36280
  • CVE-2022-3623
  • CVE-2022-3545
  • CVE-2022-3521
  • CVE-2022-3435
  • CVE-2022-3424
  • CVE-2022-3169
  • CVE-2023-0461
• NVIDIA BlueField specific kernel (5.4)
• Most high priority CVE UAF in Upper Level Protocol (mentioned in the last few episodes)
• 6000th USN published by the Ubuntu Security team - this one by Rodrigo Zaiden
• Out of interest:
  • USN-5000-1 - also a kernel USN in June 2021 (Steve Beattie)
  • USN-4000-1 - corosync in May 2019 (Leo Barbosa)
  • USN-3000-1 - kernel (utopic HWE backported to trusty) in June 2016 (John Johansen)
  • USN-2000-1 - nova in October 2013 (Jamie Strandboge)
  • USN-1000-1 - kernel again in October 2010 (Kees Cook)
  • USN-1-1 - libpng again in October 2004 (Matt Zimmerman)

[USN-6001-1] Linux kernel (AWS) vulnerabilities (04:18)

• 51 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-1118
  • CVE-2023-26607
  • CVE-2023-26545
  • CVE-2023-23455
  • CVE-2023-1095
  • CVE-2023-1074
  • CVE-2023-0394
  • CVE-2022-47929
  • CVE-2022-4662
  • CVE-2022-41850
  • CVE-2022-41849
  • CVE-2022-41218
  • CVE-2022-39188
  • CVE-2022-3903
  • CVE-2022-36879
  • CVE-2022-3646
  • CVE-2022-36280
  • CVE-2022-3628
  • CVE-2022-3303
  • CVE-2022-3111
  • CVE-2022-3061
  • CVE-2022-2991
  • CVE-2022-2663
  • CVE-2022-2380
  • CVE-2022-2318
  • CVE-2022-2503
  • CVE-2022-20572
  • CVE-2022-20132
  • CVE-2022-1975
  • CVE-2022-1974
  • CVE-2022-1516
  • CVE-2022-1462
  • CVE-2022-1205
  • CVE-2022-1195
  • CVE-2022-1016
  • CVE-2022-0617
  • CVE-2022-0494
  • CVE-2022-0487
  • CVE-2021-45868
  • CVE-2021-4203
  • CVE-2021-4149
  • CVE-2021-3772
  • CVE-2021-3732
  • CVE-2021-3669
  • CVE-2021-3659
  • CVE-2021-3428
  • CVE-2021-28713
  • CVE-2021-28712
  • CVE-2021-28711
  • CVE-2021-26401
  • CVE-2020-36516
• 4.4 kernel - wins the prize for the most number of CVEs fixed in a single update this week - thanks as always to the kernel team for all their work on these

[USN-6004-1] Linux kernel (Intel IoTG) vulnerabilities (04:42)

• 15 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-28328
  • CVE-2023-26606
  • CVE-2023-23559
  • CVE-2023-23455
  • CVE-2023-23454
  • CVE-2023-0266
  • CVE-2023-0210
  • CVE-2023-0045
  • CVE-2022-48424
  • CVE-2022-48423
  • CVE-2022-4382
  • CVE-2022-41218
  • CVE-2022-36280
  • CVE-2022-3424
  • CVE-2022-2196
• 5.15 kernel

[USN-6007-1] Linux kernel (GCP) vulnerabilities (04:51)

• 20 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-26607
  • CVE-2022-43750
  • CVE-2022-42895
  • CVE-2022-42329
  • CVE-2022-42328
  • CVE-2022-41850
  • CVE-2022-41849
  • CVE-2022-39842
  • CVE-2022-3649
  • CVE-2022-3646
  • CVE-2022-3640
  • CVE-2022-3628
  • CVE-2022-3545
  • CVE-2022-3521
  • CVE-2022-29901
  • CVE-2022-29900
  • CVE-2022-2663
  • CVE-2022-26373
  • CVE-2022-20369
  • CVE-2023-0461
• 4.15 (backported from 18.04 LTS)

[USN-6009-1] Linux kernel (GCP) vulnerabilities

• 11 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-28328
  • CVE-2023-23559
  • CVE-2023-23455
  • CVE-2023-0394
  • CVE-2023-0266
  • CVE-2023-0045
  • CVE-2022-47929
  • CVE-2022-41218
  • CVE-2022-36280
  • CVE-2022-3424
  • CVE-2021-3669
• follow-up kernel update including a bunch more fixes

[USN-6003-1] Emacs vulnerability (05:03)

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-28617
• Similar to [USN-5955-1] Emacs vulnerability [00:50]​ from Episode 191 - again if used org-mode to output to a latex document which included other documents that had shell metacharacters in their filenames, could get code execution as the user running Emacs

[USN-6002-1] Irssi vulnerability (05:45)

• 1 CVEs addressed in Kinetic (22.10)
  • CVE-2023-29132
• IRC client - UAF when outputting a line which was not formatted whilst also outputting a line that was formatted - only likely to be able to be triggered by various scripts - was discovered after a recent update to GLib 2.75 which stopped using it’s own internal memory allocator and instead switched to regular malloc() / free() - would then trigger the memory checking of libc which detected this

[USN-6005-1] Sudo vulnerabilities (07:25)

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2023-28487
  • CVE-2023-28486
• Failed to escape control characters in both the log output and sudoreplay (can be used to list or play back the commands executed in a sudo session) - and so could allow an attacker to get code execution as the user running sudoreplay by injecting terminal control characters

[USN-6010-1] Firefox vulnerabilities (08:45)

• 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2023-29541
  • CVE-2023-29539
  • CVE-2023-29538
  • CVE-2023-29536
  • CVE-2023-29535
  • CVE-2023-29533
  • CVE-2023-29551
  • CVE-2023-29550
  • CVE-2023-29549
  • CVE-2023-29548
  • CVE-2023-29547
  • CVE-2023-29544
  • CVE-2023-29543
  • CVE-2023-29540
  • CVE-2023-29537
• 112.0 - one Linux specific vuln in particular around the handling of downloaded .desktop files - could allow an attacker to get code execution as the user running firefox - interesting to note that as a snap, firefox is confined by default and cannot execute arbitrary commands from the host system - can only use binaries from within the firefox snap itself or the user’s $HOME which makes exploitation of such an issue harder since less LOLBins to make use of

[USN-6011-1] Json-smart vulnerabilities (10:00)

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2023-1370
  • CVE-2021-31684
• Small and fast JSON parser for Java - two similar issues, one in handling of unclosed quotes and the other in unclosed brackets - both could allow an attacker to DoS the application through crafted input

Goings on in Ubuntu Security Community

Preparing for the release of Ubuntu 23.04 (Lunar Lobster) (10:36)

• Team has been busy finishing various items from the development roadmap for this cycle:
  • SBOM specification
  • improvements to how we distribute OVAL data
  • evaluation of dbus-broker integration with AppArmor to possibly replace dbus-daemon in a future Ubuntu release
  • Testing unprivileged user namespace restrictions via AppArmor
  • io_uring mediation support in AppArmor
  • Working with the snapd team on integrating dm-verity within snapd for improved integrity of snaps
  • Usual maintenance items as well:
    • all the normal CVE patching
    • a heap of MIR security reviews
    • snap store reviews
    • AppArmor upstream project maintenance
  • and more

Ubuntu Security Podcast on 2 weeks break

• Alex on leave next week and the following week is the 23.10 start-of-cycle product roadmap sprint in Prague
• Expect the podcast to be back the week ending 5th May

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter