Episode 25

Posted on Monday, Mar 25, 2019
Ghostscript is back to haunt us for another week, plus we look at vulnerabilities in ntfs-3g, snapd, firefox and more.

Show Notes


Ghostscript is back to haunt us for another week, plus we look at vulnerabilities in ntfs-3g, snapd, firefox and more.

This week in Ubuntu Security Updates

39 unique CVEs addressed

[USN-3911-1] file vulnerabilities

  • 4 CVEs addressed in Xenial, Bionic, Cosmic
  • 4 DoS (crash) found via fuzzing:
    • Stack overflow in readelf
    • 2 different OOB read due to failure to NULL terminate a string before processing it
    • Read past end of stack due to failing to properly keep track of buffer sizes

[USN-3906-2] LibTIFF vulnerabilities

[USN-3912-1] GDK-PixBuf vulnerability

  • 1 CVEs addressed in Xenial
  • Failure to properly validate BMP image palette parameters - leading to OOB when decoding colormap later on

[USN-3914-1] NTFS-3G vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Discovered recently by Chris Coulson during code-audit of ntfs-3g - actually had been fixed upstream late last year but no CVE assigned
  • Heap buffer overflow able to be triggered when mounting a filesystem onto a mount point with path name greater than PATH_MAX, and from a current working directory which has a path name also greater than PATH_MAX
  • Contents of buffers is attacker controlled so heap can be overflown with attacker controlled input - likely to leverage into arbitrary code execution
  • Contrived example BUT in Debian and Ubuntu ntfs-3g is setuid root - which then leads to root privilege escalation with arbitrary code execution
  • Update was released within hours of the bug being made public to fix the heap buffer overflow
  • Currently testing ntfs-3g as not-setuid root to release in a future update to avoid any other possible privilege escalation bugs in the future

[USN-3915-1] Ghostscript vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Similar to previous CVE, forceput operator could be extracted from the DefineResource method to allow access to the file-system outside of the -dSAFER sandbox
  • superexec operator was available in the internal dictionary - also able to be extracted and hence used to access files outside the sandbox

[USN-3913-1] P7ZIP vulnerabilities

  • 2 CVEs addressed in Xenial
  • Heap based OOB write when decompressing a crafted ZIP file (crash -> DoS, possible code execution)
  • Heap based OOB read when decompressing a UDF file (universal disk format - used for DVD images) - crash, DoS

[USN-3918-1] Firefox vulnerabilities

[USN-3917-1] snapd vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Jann Horn reported the seccomp blacklist for TIOCSTI can be bypassed
  • snapd creates a seccomp filter for each snap which is designed to block TIOCSTI (as this can be used to fake input to other processes outside of the sandbox)
  • This is a 32-bit value to the ioctl system call, but on 64-bit architectures the kernel does this comparison as a 64-bit integer - so can be circumvented by using a 64-bit value to ioctl systemcall which has other bits set in the upper 32 bits - since when seccomp does comparison it uses the full 64 bits - so it won’t match the 32-bit value of TIOCSTI and so will be allowed - but then when used as the ioctl() argument it will correctly be truncated to 32-bits and the ioctl will proceed
  • Fixed in snapd to add a second seccomp filter to disallow anything in the upper 32-bits
  • Initially seemed like a kernel or libseccomp issue but both currently document this as a limitation already so treated in the end as a vulnerability in snapd

[USN-3916-1] libsolv vulnerabilities

  • 3 CVEs addressed in Cosmic
  • Dependency solver used by packaging systems to resolve dependencies between packages etc
  • 2 NULL pointer dereferences and 1 invalid memory read due to mishandling of variable length function arguments - all crash -> DoS

Goings on in Ubuntu Security Community


Ubuntu Security Generalist

Robotics Security Engineer

Get in contact