Episode 34

Show Notes

This week we look at security updates for Keepalived, Corosync, GnuTLS, libseccomp and more, plus we talk insider threats with Joe McManus.

32 unique CVEs addressed

1 CVEs addressed in Bionic, Cosmic, Disco
- CVE-2019-11460
Thumbnailers could possibly escape bubblewrap sandbox by using TIOCSTI ioctl to send characters to the controlling terminals input buffer and hence escape the sandbox
- Requires to compromise a thumbnailer in the first place so less impact
- Similar to CVE-2019-10063 for flatpak and CVE-2019-7303 for snapd

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic
- CVE-2018-19115
Heap based buffer overflow when parsing HTTP response code - would potentially write an unlimited amount of attacker controlled data to the heap for a 10-byte long buffer
Crash -> DoS, RCE
Fixed to properly parse and expect at most a 3 digit long response code

6 CVEs addressed in Bionic, Cosmic
Back in December published update for FreeRDP (USN-3845-1 - Episode 16)
- In Bionic and Cosmic freerdp2 is in main, so that update was for freerdp2
- This update is for freerdp (v1), which is in universe in bionic + cosmic
- Corresponding update

1 CVEs addressed in Precise ESM, Trusty ESM
- CVE-2015-6806
Old low priority issue fixed for ESM releases (fixed back in 2015 upstream so screen in Xenial, Bionic etc not affected)
Attacker could cause a crash due to stack overrun via recursion due to large number of repeated ANSI escape sequences in output

1 CVEs addressed in Xenial, Bionic
- CVE-2018-15587
Research from Marcus Brinkmann showed it was possible to create an encrypted email with a zero-length encrypted section along with unencrypted contents which Evolution (and other email clients) would show as being encrypted.
Mail clients call out to gpg (gnupg) to decrypt the email but are lax in parsing GPGs output and so confuse the whole email as being encrypted
Due to SW arch of evolution, part of this fix is done in Evolution itself (to better highlight to the user that the email contains unencrypted portions) and part is done in the backend (Evolution Data Server) to properly parse output of gnupg

5 CVEs addressed in Xenial, Bionic, Cosmic, Disco
3 CVEs related to “Lucky Thirteen” attack (originally published in 2013)
- Timing attack against TLS implementations that use CBC
- One countermeasure was to use “psuedo constant time”
- New research showed this is not sufficient (incidentally one of the researchers was Adi Shamir, co-inventor of the RSA algorithm - the “S” in RSA)
1 CVE from Tavis Ormandy (double-free when handling X.509 certificates) - crash -> DoS, code execution
Last CVE - uninitialized pointer could be dereferenced when handling certain post-handshake messages - likely crash -> DoS

1 CVEs addressed in Xenial, Bionic
- CVE-2018-1084
Integer overflow leading to a buffer overflow (read), able to be triggered by an unauthenticated user - crash -> DoS

1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- CVE-2019-9893
Seccomp allows to write policies to act on system calls arguments via BPF - includes comparison operators like less than (LT) etc - Jann Horn discovered that on 64-bit platforms it did not generate correct BPF to perform comparisons correctly
In this case, the updates from upstream relied on other upstream changes so we chose to upgrade seccomp entirely rather than try and backport the fixes as they were too involved and so less risk overall in upgrading the version than in backporting