Episode 24

Posted on Tuesday, Mar 19, 2019
A look at recent fixes for vulnerabilities in poppler, WALinuxAgent, the Linux kernel and more. We also talk about some listener feedback on Ubuntu hardening and the launch of Ubuntu 14.04 ESM.

Show Notes

Overview

A look at recent fixes for vulnerabilities in poppler, WALinuxAgent, the Linux kernel and more. We also talk about some listener feedback on Ubuntu hardening and the launch of Ubuntu 14.04 ESM.

This week in Ubuntu Security Updates

18 unique CVEs addressed

[USN-3905-1] poppler vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Heap-based buffer underwrite (index into array using negative index) - write into heap memory which preceeds the intended buffer - heap corruption - crash -> DoS, possible code execution
  • Found by fuzzing and AddressSanitizer in clang

[USN-3906-1] LibTIFF vulnerabilities

[USN-3907-1] WALinuxAgent vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • WALinuxAgent used to manage instances of Ubuntu (and other Linux distributions) running on Azure
  • Can be used to configure swap space for a given image
    • would then create a swap file (/mnt/swapfile) BUT would make it world-readable
    • so any local user could read it - if keys or other sensitive items were in memory that got swapped to disk could be read by all
  • Fixed to make this readable only by root and to also correct the permissions on any existing swapfile as well

[USN-3902-2] PHP vulnerabilities

[USN-3910-1, USN-3910-2] Linux kernel vulnerabilities

  • 5 CVEs addressed in Xenial and Trusty (Xenial HWE)
  • 2 of these discussed in previous episodes Episode 23 (PolicyKit start time, DoS via mmaping a FUSE-backed file into processes memory containing command-line args)
  • Trigger of BUG_ON() in kernel (like assert() for kernel code) due to integer overflow from large pgoff parameter to remap_file_pages() when used in conjuction with an existing mmap() -> crash -> DoS
  • OOB read in USB driver for Option High Speed mobile devices - would read a descriptor from the USB device as a u8 and then index into an array with this without checking whether it fell within the array
  • NULL pointer dereference in f2fs driver via use of noflush_merge mount option

[USN-3908-1, USN-3908-2] Linux kernel vulnerability

  • 1 CVEs addressed in Trusty and Precise ESM (Trusty HWE)
  • See last week's Episode 23 - discussed for Bionic kernel - now for Trusty kernel (and the Trusty HWE kernel backported to Precise ESM)
    • PolicyKit start time issue, fixed in kernel

[USN-3909-1] libvirt vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • NULL pointer dereference in libvirt if agent does not reply in time (say guest is being shutdown) - crash host libvirt -> DoS

Goings on in Ubuntu Security Community

Ubuntu Hardening Response

Extended Security Maintenance for Ubuntu 14.04 (Trusty Tahr) begins April 25 2019

Hiring

Ubuntu Security Generalist

Robotics Security Engineer

Get in contact