Episode 21

Show Notes

Overview

Double episode covering the security updates from the last 2 weeks, including snapd (DirtySock), systemd and more, plus we talk responsible disclosure and some open positions on the Ubuntu Security team.

This week in Ubuntu Security Updates

15 unique CVEs addressed

[USN-3886-1] poppler vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2019-7310
  • CVE-2018-20551
• Two DoS:
  • Out-of-bounds heap buffer read due to missing check for a negative index -> crash -> DoS
  • Crash due to hitting an assertion -> DoS

[USN-3888-1] GVfs vulnerability

• 1 CVEs addressed in Bionic, Cosmic
  • CVE-2019-3827
• Possible to allow a local user with admin privileges (eg. sudo group) to read arbitrary files without prompting for authorisation IF no policykit agents running
  • Policykit agents run by default so would require user to be running a difffent DE or to have uninstalled / disabled them
  • Also low impact since user has authority anyway

[USN-3889-1] WebKitGTK+ vulnerabilities

• 2 CVEs addressed in Bionic, Cosmic
  • CVE-2019-6215
  • CVE-2019-6212
• Memory corruption and type confusion errors - leading to possible remote code execution

[USN-3890-1] Django vulnerability

• 1 CVEs addressed in Xenial, Bionic, Cosmic
  • CVE-2019-6975
• Could cause Django to consume a large amount of memory when formatting a decimal number with a large number of digits or with a large exponent since it would simply print every single provided character
• Possible DoS although would need a very large number to be input
• Fix is to format numbers with more than 200 characters in scientific notation

[USN-3887-1] snapd vulnerability

• 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2019-7304
• ‘DirtySock’ - discovered by Chris Moberly
• Failed to correctly parse and validate the remote socket address
• Code had undergone refactoring and introduced this bug
• Allows to impersonate privileged user and therefore call privileged APIs via the snapd socket

[USN-3850-2] NSS vulnerabilities

• 3 CVEs addressed in Precise ESM
  • CVE-2018-12404
  • CVE-2018-12384
  • CVE-2018-0495
• Covered back in Episode 17

[USN-3891-1] systemd vulnerability

• 1 CVEs addressed in Xenial, Bionic, Cosmic
  • CVE-2019-6454
• Discovered by Ubuntu Security team member Chris Coulson
• Stack buffer overflow of DBus path field - declared as VLA, but sender could use a value larger than the stack size and therefore jump the entire stack and the guard pages
• Segmentation violation -> crash -> DoS
  • systemd does not automatically restart so brings down entire system - reboot
• Possible code execution but unlikely
• DBus and systemd need to agree on what the maximum size of various elements are - DBus spec says path could be unlimited - but in practice is less than 32MB! (dbus-daemon limits messages to this size) - systemd now limits path to 64KB AND ensures it keeps running after receiving an invalid sized path

[USN-3892-1] GDM vulnerability

• 1 CVEs addressed in Bionic, Cosmic
  • CVE-2019-3825
• Logic error in handing of timed logins (not enabled by default)
• If screen already locked, select to log in as different user - then select a user which has timed login enabled - after timeout will unlock screen of original user
• Need administrator privileges to enabled timed login for a given user so low impact

[USN-3866-2] Ghostscript regression

• Affecting Trusty, Xenial, Bionic, Cosmic
• Previous update for Ghostscript (USN-3866-1 - Episode 18) caused a regression in printing 4"x6" (v9.26 - upstream bug)

[USN-3893-1] Bind vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2019-6465
  • CVE-2018-5745
  • CVE-2018-5744
• Fail to properly apply controls to zone transfers - could allow clients to request and receive a zone transfer to a dynamically loadable zone contrary to the allow-transfer ACL
• Assertion failure if a trust anchor’s keys are replaced with keys using an unsupported algorithm during a key rollover when using the managed-keys feature for DNSSEC validation
• Remotely triggerable memory leak when processing particular packets - DoS

Goings on in Ubuntu Security Community

snapd, systemd and handling of embargoed issues

• 2 updates involving close communication between Ubuntu Security Team and external stakeholders - embargoed
• Responsible Disclosure - allows to coordinate a fix in a timely manner and then release update once all parties are ready in a coordinated manner
• Set CRD with stakeholders (reporter, upstream, other distros etc)
• Coordinate fix with upstream and other distros
• Plan coordinated updates to be released with other distros / upstream at CRD

Hiring

Ubuntu Security Generalist

• https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1550997

Security Automation Engineer

• https://boards.greenhouse.io/canonical/jobs/1548632

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter