Episode 3

Show Notes

Overview

This week we look at 29 unique CVEs addressed across the supported Ubuntu releases, a discussion of the Main Inclusion Review process and recent news around the bubblewrap package, and open positions within the team.

This week in Ubuntu Security Updates

29 unique CVEs addressed

[USN-3756-1] Intel Microcode vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-3640
  • CVE-2018-3639
  • CVE-2018-3646
• Intel microcode updates to address L1TF, Spectre Variant 4 and Rogue System Register Read (RSRE)
• Intel initially released this with a brand new license which included terms around disallowing benchmarking and possibly preventing redistribution via the Ubuntu mirrors
  • As a result, we couldn’t provide updated microcode packages to full address L1TF etc
  • Intel have now reverted back to the license used on previous microcode packages and so this can now finally be released
• https://perens.com/2018/08/22/new-intel-microcode-license-restriction-is-not-acceptable/

[USN-3755-1] GD vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-5711
  • CVE-2018-1000222
• Popular image manipulation and creating library used by PHP and therefore in many PHP web applications
• Issue in handling of signed integers in GIF decoder allows an attacker to enter an infinite loop and cause DoS via a specially crafted GIF file
• Double free in JPEG decoder could allow a user to possibly execute arbitrary code via specially crafted JPEG file

[USN-3757-1] poppler vulnerability

• 1 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-13988
• Fixed a crash (hence DoS) due to out-of-bounds read in PDF decoding

[USN-3758-1] libx11 vulnerabilities

• 5 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-14600
  • CVE-2018-14599
  • CVE-2018-14598
  • CVE-2016-7943
  • CVE-2016-7942
• Bundles some fixes for some low priority old CVEs with some new medium priority CVE fixes
• Updates are usually done in this manner, where low priority fixes wait to get fixed along with higher priority fixes for a package
• Fixes issues around handling of data from untrusted servers and image decoding
  • Usual failure to validate inputs, off-by-one, integer signedness confusion and incorrect freeing of dynamically allocated memory style issues

[USN-3758-2] libx11 vulnerabilities

• 5 CVEs addressed in Precise ESM
  • CVE-2018-14600
  • CVE-2018-14599
  • CVE-2018-14598
  • CVE-2016-7943
  • CVE-2016-7942

[USN-3752-3] Linux kernel (Azure, GCP, OEM) vulnerabilities

• 18 CVEs addressed in Xenial, Bionic
  • CVE-2018-1000204
  • CVE-2018-9415
  • CVE-2018-5814
  • CVE-2018-13406
  • CVE-2018-13405
  • CVE-2018-13094
  • CVE-2018-12904
  • CVE-2018-12233
  • CVE-2018-12232
  • CVE-2018-11506
  • CVE-2018-11412
  • CVE-2018-1120
  • CVE-2018-1108
  • CVE-2018-1093
  • CVE-2018-10881
  • CVE-2018-10840
  • CVE-2018-10323
  • CVE-2018-1000200
• Kernel updates for various hardware platforms etc corresponding to the same updates from last week

Goings on in Ubuntu Security Community

MIR Process and bubblewrap

• Security team is responsible for doing security audits of packages which are proposed to be included in the main section of the Ubuntu package repository
  • Packages in main are officially maintained, supported and recommended so deserve a high level of scrutiny before promotion into main
  • Security team historically only provides security updates to packages in main as well
  • So we have to be confident we can maintain and support a given package
• To perform the security review we look at a number of things:
  • The code is evaluated to determine how easy or not it would be to maintain
  • The package itself is evaluated to look for potential issues
  • Code is then evaluated to look for potential existing security vulnerabilities
• This can be a time consuming process, especially to do well
• Recently this was in the news, when Hanno Böck (infosec journalist and researcher) and Tavis Ormandy (GPZ) raised the issue of lack of bubblewrap support for gnome desktop thumbnailers
  • bubblewrap provides support for sandboxing processes via namespaces and the use of it to sandbox desktop thumbnailers was introduced in the GNOME 3.26 release
  • It was planned to be supported for Ubuntu 18.04, but to do this the package had to be moved from universe into main, hence a MIR
  • Due to shifting priorities, the security team was not able to get this done in time and hence the feature had to be disabled
  • This MIR is being proritised now so this security hardening feature should be available in an upcoming release
  • Security team is also looking at how to strengthen the hardening via AppArmor MAC profiles in addition
  • Thanks to Hanno and Tavis for giving this greater visibility
• https://wiki.ubuntu.com/MainInclusionProcess
• https://www.bleepingcomputer.com/news/security/ubuntu-is-undoing-a-gnome-security-feature/

Hiring

Ubuntu Security Manager

• https://boards.greenhouse.io/canonical/jobs/1278287

Ubuntu Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1158266

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter