AppArmor unprivileged user namespace restrictions are back on the agenda this week as we survey the latest improvements to this hardening feature in the upcoming Ubuntu 24.04 LTS, plus we discuss SMTP smuggling in Postfix, runC container escapes and Qualys’ recent disclosure of a privilege escalation exploit for GNU libc and more.
39 unique CVEs addressed
<CR><LF>.<CR><LF>
gets interpreted loosely so that it is possible to include
extra SMTP commands within the message data which would then go on to be
interpreted as an additional SMTP commands to be executed by the receiving
server and to cause it to receive two emails when only one was sent in the
first place, and where the usual SPF checks get bypassed for this second
email - so can bypass SPF/DMARC policies to spoof emails from various
domainssyslog()
system callargv[0]
in a call to snprintf() into a fixed size buffer
allocated on the stack - snprintf() won’t overflow this but will return a
value larger than the fixed size buffer - as a result a heap buffer to then
contain this string would only get allocated with a size of 1 byte but then
the full expected data would get copied into it - and since the attacker
controls this value they can write arbitrary data to the heap by just using
a crafted program name (which is easy to do via the the exec
command built
in to bash etc)/usr/bin/su
call syslog()
internally and so can
be abused in this wayintcomma
templateCAP_NET_ADMIN
within that namespace and so create firewall rules etc that only
affect applications within that namespace and not the host system
CAP_NET_ADMIN
etc as mentioned before) this is then deniedapparmor
package in noble-proposed pocket