Episode 31

Show Notes

Overview

This week we cover security fixes for GNOME Shell, FFmpeg, Sudo, Ghostscript and others, and we talk to Joe McManus about malicious Dockerhub images, Git repos being ransomed more.

This week in Ubuntu Security Updates

14 unique CVEs addressed

[USN-3966-1] GNOME Shell vulnerability

1 CVEs addressed in Bionic, Cosmic
- CVE-2019-3820
Local user could potentially bypass various restrictions of the lock screen - menu items can be activated by keyboard combinations - these could then be used to take screenshots (and fill up disk space), close windows behind the lock screen or start the screen reader which could read out the contents of windows behind the lock screen.
Fixed by disabling all menu items when the screen is locked

[USN-3965-1] aria2 vulnerability

1 CVEs addressed in Cosmic, Disco
- CVE-2019-3500
CLI download tool (akin to curl / wget but can also do bittorrent and others)
When logging would store credentials in log file which could be read by other users
Fixed by masking out credentials

[USN-3967-1] FFmpeg vulnerabilities

5 CVEs addressed in Bionic, Cosmic, Disco
CPU DoS in Matroska and HTML subtitle decoding
Various issues discovered by Google’s oss-fuzz project:
- 2 x OOB read found by Google’s clusterfuzz / oss-fuzz project in MPEG-4 decoder
- NULL pointer dereference and OOB read in HEVC decoder
Assertion failure for missing audio packet size in FLV encoder

[USN-3968-1] Sudo vulnerabilities

2 CVEs addressed in Xenial
- CVE-2017-1000368
- CVE-2016-7076
Fails to properly parse /proc/PID/stat - this is used to determine the controlling tty - this name could contain newlines - sudo would only read one line of input and so would get a truncated name - when sudo is used with SELinux this allows to confuse sudo as to where the destination for stdout / stderr and so cause sudo to overwrite and arbitrary file by creating a symlink from the supposed tty to the destination file.
Fixed by ensuring to parse the full name including any newlines
sudo contains the ability to restrict users with sudo access to running further commands via the NOEXEC tag
- Does this by LD_PRELOAD to replace exec() and other functions with versions that return an error
- wordexp() performs shell expansion on a string and so can contain shell directives to run a command and get the output $(foo) - this can run commands and so would not be stopped by LD_PRELOAD lib - so a user can run a binary which does wordexp() they could bypass this restriction
- Fixed by adding wordexp() to the LD_PRELOAD wrapper AND by adding a seccomp filter to stop all execve() entirely

[USN-3969-1, USN-3969-2] wpa_supplicant and hostapd vulnerability

1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- CVE-2019-11555
Possible NULL pointer dereference if an attacker could construct out of sequence EAP message fragments
Fixed by validating and rejecting invalid fragments on both the peer and server side

[USN-3970-1] Ghostscript vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- CVE-2019-3839
Follow up to CVE-2019-6116 (Episode 18)
- GS sandbox allowed access to system operators which allowed arbitrary code execution
- Missed some protections for pdf related operations which could also allow code execution

[USN-3971-1] Monit vulnerabilities

2 CVEs addressed in Cosmic, Disco
- CVE-2019-11455
- CVE-2019-11454
Buffer over-read when decoding URLs could allow a remote authenticated attacker to read other memory - information disclosure but could also cause a crash via reading from an invalid memory location
Persistent XSS in decoding Authorization header for HTTP Basic Authorization could allow an unauthenticated remote attacker to inject arbitrary JavaScript in the _viewlog operation - fixed by properly escaping this data

[USN-3956-2] Bind vulnerability

1 CVEs addressed in Precise ESM, Trusty ESM
- CVE-2018-5743
Episode 29 covered for standard support releases - now fixed in ESM