Episode 50

Posted on Thursday, Oct 24, 2019
Alex and Joe discuss the big news of this week - the release of Ubuntu 19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt, UW IMAP and more.

Show Notes

Overview

Alex and Joe discuss the big news of this week - the release of Ubuntu 19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt, UW IMAP and more.

This week in Ubuntu Security Updates

51 unique CVEs addressed

[USN-4156-2] SDL vulnerabilities [00:37]

[USN-4160-1] UW IMAP vulnerability [01:04]

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • University of Washington IMAP toolkit (used by PHP for it’s IMAP implementation)
  • Used rsh to implement various operations - wouldn’t try and sanitize the provided hostname - so if attacker could provide a hostname/mailbox to php’s IMAP without any validation could execute arbitrary commands on the host
    • Fixed by turning off the rsh based functionality by default in PHP - if you still want this you can set imap.enable_insecure_rsh but this is not advised…

[USN-4158-1] LibTIFF vulnerabilities [02:17]

  • 2 CVEs addressed in Xenial, Bionic, Disco
  • Integer overflow -> heap based buffer overflow -> crash, DoS or code execution
  • (Low) Integer overflow due to undefined behaviour in existing overflow checking code when multiplying various elements -> no known way to exploit

[USN-4155-2] Aspell vulnerability [03:13]

[USN-4159-1] Exiv2 vulnerability [03:31]

  • 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • OOB read -> crash, DoS

[USN-4164-1] Libxslt vulnerabilities [03:44]

  • 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • OSS-Fuzz found 3 issues
    • possible heap buffer overflow as a result of a dangling pointer - so same memory area could be reused for future memory operations -> fixed to reset the pointer when done
    • 2 low priority issues - both stack memory info disclosures

[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]

  • 9 CVEs addressed in Bionic (HWE) and Disco
  • Integer overflow -> buffer overflow -> root privesc in binder
  • Reintroduction of Spectre v1 vulnerability in ptrace subsystem - Brad Spengler - fixed properly in Linus' tree but not when it got backported to the stable tree - two lines of code got reordered - so load of possible speculative value occurred _after_it had been used - so the speculative load barrier had no effect - Ubuntu regularly backports fixes from the latest stable tree so we ended up affected as well
  • Possible DoS (kernel crash) if users can write to /dev/kvm - by default on Ubuntu users don’t have this privilege so generally not affected
  • 2 different heap based buffer overflows in Marvell Wifi driver -> occurred when setting parameters for the driver so could be triggered by a local users -> crash, DoS or possible code execution

[USN-4161-1] Linux kernel vulnerability [07:40]

  • 1 CVEs addressed in Eoan
  • Eoan kernel “0-day” - will discuss with Joe later

[USN-4162-1] Linux kernel vulnerabilities [07:58]

[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]

[LSN-0058-1] Linux kernel vulnerability [10:09]

Goings on in Ubuntu Security Community

Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]

Get in contact