Episode 47

Posted on Thursday, Oct 3, 2019
We catch up on details of the past few weeks of security updates, including Python, curl, Linux kernel, Exim and more, plus Alex and Joe discuss the recent Ubuntu Engineering Sprint in Paris and building a HoneyBot for Admin Magazine.

Show Notes

Overview

We catch up on details of the past few weeks of security updates, including Python, curl, Linux kernel, Exim and more, plus Alex and Joe discuss the recent Ubuntu Engineering Sprint in Paris and building a HoneyBot for Admin Magazine.

This week in Ubuntu Security Updates

93 unique CVEs addressed

[USN-4125-1] Memcached vulnerability [00:42]

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Possible stack buffer over-read when using UNIX sockets (copies address of UNIX socket using strncpy() which could possibly read past the end of the src buffer) - possible crash -> DoS - fixed to explicitly limit length to smallest of src/dst buffers rather than just size of dest buffer

[USN-4126-1] FreeType vulnerability [01:49]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial
  • 2 CVEs addressed in Precise ESM, Trusty ESM only
  • All various heap based buffer over-reads - crash -> DoS

[USN-4127-1, USN-4127-2] Python vulnerabilities [02:13]

  • 8 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • 4 issues in urllib:
    • would allow to easily open files from local file-system
    • 2 different CRLF injection issues
    • specially crafted URL could cause urllib to send cookies / auth data for wrong host
      • Fixed incorrectly upstream so had a two CVEs assigned
  • http cookiejar wouldn’t validate URL correctly so could also send cookies for another domain
  • Possible NULL ptr deref when parsing X509 certs if had an empty CRL distpoint / URI
  • Possible integer overflow when serializing a tens of hundreds of gigabytes of data via the pickle format - could cause memory exhaustion

[USN-4128-1, USN-4128-2] Tomcat vulnerabilities [03:35]

  • 3 CVEs addressed in Xenial, Bionic (tomcat-8) and Bionic, Disco (tomcat-9)
  • HTTP/2 server would accept streams with an excessive number of SETTINGS frames and would permit clients to keep streams open without reading / writing anything - could lead to DoS by causing server-side threads to block
    • Original fix was incomplete - so got a second CVE
  • Possible XSS injection if using SSI printenv command as would echo user provided data without escaping - intended only for debugging so shouldn’t be used in a production website anyway

[USN-4120-2] systemd regression [04:45]

  • Affecting Bionic, Disco
  • Episode 46 - systemd-resolved dbus access control - the update was prepared using a pending SRU update - but this contained a regression in networking - re-released the security fix but without this SRU update included.

[USN-4115-2] Linux kernel regression [05:18]

  • Affecting Xenial (HWE), Bionic
  • Recent kernel update (Episode 46) could possibly crash on handling fragmented packets

[USN-4129-1, USN-4129-2] curl vulnerabilities [05:42]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • 1 extra CVEs addressed in Xenial, Bionic, Disco

[USN-4130-1] WebKitGTK+ vulnerabilities [06:15]

[USN-4131-1] VLC vulnerabilities [06:38]

[USN-4133-1] Wireshark vulnerabilities [06:48]

[USN-4132-1, USN-4132-2] Expat vulnerability [06:55]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • Crafted XML could fool the parser to switch to document parsing too early (whilst still in DTD) - could then result in a heap-based buffer over-read when looking up current line / column number - possible crash -> DoS

[USN-4134-1] IBus vulnerability [07:30]

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Failed to apply access controls to D-Bus server socket - could allow another local user to connect to logged in local user’s IBus daemon and snoop on keystrokes etc
    • Attacker needs to know IBus socket address which is randomised and not easily discoverable

[USN-4134-2] IBus regression [08:00]

  • Affecting Xenial, Bionic, Disco
  • Regressed for Qt users - Qt seems unable to connect to IBus socket - so reverted

[USN-4124-2] Exim vulnerability [08:25]

[USN-4113-2] Apache HTTP Server regression [08:38]

  • Affecting Xenial, Bionic, Disco
  • Episode 45 - HTTP/2 DoS issues - update caused a regression when proxying balance manager connections - fixed by incorporating missing upstream patches

[USN-4135-1, USN-4135-2] Linux kernel vulnerabilities [09:01]

  • 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • Possible host privilege escalation from a libvirt guest (guest user needs to be privileged)
  • 2 related info disclosures on PowerPC - local user could possibly read vector registers of other users’ processes either during an interrupt or via a facility unavailable exception

[LSN-0056-1] Linux kernel vulnerability [09:51]

  • 1 CVEs addressed in Xenial, Bionic
  • Livepatch notification of above libvirt host privesc

[USN-4136-1, USN-4136-2] wpa_supplicant and hostapd vulnerability [10:06]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • Attacker in radio range could cause a station to disconnect by sending a specially crafted management frame (since would not properly validate the source address of the frame)

[USN-4137-1] Mosquitto vulnerability [10:44]

  • 1 CVEs addressed in Disco
  • Stack overflow if a malicious client sends a SUBSCRIBE with a topic of ~65k ‘/’ characters

[USN-4138-1] LibreOffice vulnerability [10:56]

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Episode 44 - able to bypass protections added to try and stop inclusion of code on local file-system in macros etc via URL encoding

[USN-4139-1] File Roller vulnerability [11:18]

  • 1 CVEs addressed in Xenial, Bionic
  • Path traversal outside of CWD to parent

[USN-4140-1] Firefox vulnerability [11:33]

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Latest upstream release (69.0.1) - pointer lock able to be enabled without any notification to user - could allow a malicious website to hijack mouse cursor and confuse user

[USN-4141-1] Exim vulnerability [11:54]

  • 1 CVEs addressed in Disco
  • Heap-based buffer overflow - could possibly allow remote code execution - was announced on Saturday 28th - thanks Marc for the quick update :)

Goings on in Ubuntu Security Community

Joe and Alex talk about the Paris Engineering Sprint and Joe’s recent article in Admin Magazine [12:42]

New security category on discourse.ubuntu.com [25:52]

Get in contact