This week we look at some recent security developments from PyPI, the Linux Security Summit North America and the pending transition of Ubuntu 18.04 to ESM, plus we cover security updates for cups-filter, the Linux kernel, Git, runC, ncurses, cloud-init and more.
83 unique CVEs addressed
system()to run a command which contained various values that can be controlled by the attacker
execve()plus some other smaller changes to perform sanitisation of the input
.gitmodulesfile with submodule URLs longer than 1024 chars - could inject arbitrary config into the users git config - eg. could configure the pager or editor etc to run some arbitrary command
git apply --reject
~/.terminfo- will get used by a
setuidbinary as well - turns out though that ncurses has a build-time configuration option to disable the use of custom terminfo/termcap when running - fixed this by enabling that