Episode 44

Show Notes

Overview

This week Joe and Alex discuss a recently disclosed backdoor in Webmin, plus we cover security updates from the past week, including for Nova, KDE, LibreOffice, Docker, CUPS and more.

This week in Ubuntu Security Updates

21 unique CVEs addressed

[USN-4100-1] KConfig and KDE libraries vulnerabilities [00:46]

• 2 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2016-6232
  • CVE-2019-14744
• Directory traversal in KArchive via ../
• RCE via malicious .desktop file - contianed extra functionality outside of XDG spec, where could contain shell commands that would get expanded - so if you view a .desktop file in Dolphin, and the Icon property contained shell commands, this would get evaluated - so wouldn’t need to interact at all - upstream now removed this ‘feature’

[USN-4102-1] LibreOffice vulnerabilities [02:45]

• 3 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-9852
  • CVE-2019-9851
  • CVE-2019-9850
• Docs can have macros & scripts on action - document-open, mouse-over
  • Should only be for scripts shipped in libreoffice itself
  • Path bypass in CVE-2018-16858 - so added more protections
  • Could be bypassed again with URL encoding - so fix again
• Second LibreLogo issue (Episode 40) - could bypass previous protections again - was fixed upstream but found to still be inadequate - hence 2 CVEs for this (incomplete fix the first time around)

[USN-4078-2] OpenLDAP vulnerabilities [04:26]

• 2 CVEs addressed in Precise ESM, Trusty ESM
  • CVE-2019-13565
  • CVE-2019-13057
• Episode 41 for regular releases - now ESM as well

[USN-4103-1, USN-4103-2] docker-credential-helpers and Docker vulnerabilities [04:52]

• 1 CVEs addressed in Disco (docker-credential-helpers)
• 1 CVEs addressed in Xenial, Bionic, Disco (docker)
  • CVE-2019-1020014
• golang-docker-credentials package had a double-free which could be triggered via a local user -> crash, DoS
• Bundled with docker.io package so update both

[USN-4104-1] Nova vulnerability [05:28]

• 1 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-14433
• API requests which end in fault conditions from authenticated users could result in keys or other details being leaked / returned in responses to further API requests (not just any error / fault but say if tried to hard-reboot and this fails) - fixed to sanitize any possible details out of faults

[USN-4105-1] CUPS vulnerabilities [06:30]

• 2 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-8675
  • CVE-2019-8696
• SNMP backend - parses ASN.1 encoded data - can be used to automatically get status from printers etc - would not do bounds checking on actual encoded ASN.1 data vs the description of it - so could easily get a stack buffer overflow - fixed to add bounds checking
• Also includes some other upstream fixes for potential security issues (without CVEs), including a CPU based DoS if a cups client unexpectedly disconnected

[USN-4106-1] NLTK vulnerability [07:37]

• 1 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-14751
• Python Natural Language Toolkit - downloads datasets as ZIP compressed
• Mike Salvatore - ZipSlip
• https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/
• Fixed to use inbuilt python zipfile handling to unzip rather than custom implementation

[USN-4107-1] GIFLIB vulnerabilities [08:35]

• 3 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-15133
  • CVE-2018-11490
  • CVE-2016-3977
• Common library used for handling GIF images (openjdk, ffmpeg, gstreamer, kde)
• Divide-by-zero
• 2 different heap based buffer overflows - one was originally fixed in Debian but the patch for it got dropped in a later release - so we have repatched that

[USN-4108-1] Zstandard vulnerability [09:20]

• 1 CVEs addressed in Bionic
  • CVE-2019-11922
• Common library (maintained by Facebook) for handling the zstd compression algorithm
• Race condition when using single-pass compression, might allow attacker to get OOB write IF the caller had provided a smaller output buffer than the recommended size
• So likely won’t affect all packages which use zstd (there are many) - should always follow best practice

[USN-4109-1] OpenJPEG vulnerabilities [10:11]

• 5 CVEs addressed in Bionic
  • CVE-2018-6616
  • CVE-2018-5785
  • CVE-2018-18088
  • CVE-2018-14423
  • CVE-2017-17480
• 4 different DoS issues:
  • 2 in BMP handling:
    • CPU based DoS due to inefficient algorithm implementation
    • Integer overflow -> OOB read -> DoS
  • NULL pointer dereference when converting to PNM
  • Divide by zero
• Stack based buffer overflow when handling JP3D encoded data - OOB write - DoS / RCE

Goings on in Ubuntu Security Community

Joe and Alex discuss webmin backdoor [11:21]

• http://www.webmin.com/exploit.html

Get in contact [21:45]

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter