Episode 53

Posted on Friday, Nov 15, 2019
This week we look at the details of the latest Intel hardware vulnerabilities, including security updates for the Linux kernel and Intel microcode, plus Bash, cpio, FriBidi and more.

Show Notes

Overview

This week we look at the details of the latest Intel hardware vulnerabilities, including security updates for the Linux kernel and Intel microcode, plus Bash, cpio, FriBidi and more.

This week in Ubuntu Security Updates

26 unique CVEs addressed

[USN-4176-1] GNU cpio vulnerability [01:00]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • cpio wouldn’t validate values written to headers of TAR archives - could use cpio to create a TAR containing another TAR with a big size and will use wrong context values (ie uses inner TAR values in header) - this could allow a TAR to be created which has files with permissions not owned by the original user - when extracted by cpio will overwrite target files - whereas if using tar to extract will avoid this - fixed to check and handle header values correctly

[USN-4177-1] Rygel vulnerability [02:18]

  • Affecting Eoan
  • Added Rygel in Eoan which is off by default but needed GNOME to handle that - it would disable it dynamically - so if not running GNOME, rygel would be running and sharing your stuff on the local network - fixed to disable automatically on upgrade - and then can use the GNOME settings front-end etc to re-enable if desired

[USN-4178-1] WebKitGTK+ vulnerabilities [03:34]

[USN-4181-1] WebKitGTK+ vulnerabilities [03:34]

[USN-4179-1] FriBidi vulnerability [04:00]

  • 1 CVEs addressed in Disco, Eoan
  • Issue reported about unicode isolated handling in Qt - turns out affected GTK applications as well - entirely different code with very similar flaw - stack buffer overflow since didn’t check bounds of a fixed array used to store details on nested unicode isolate sections - simple fix to just check bounds before trying to store next element

[USN-4180-1] Bash vulnerability [05:38]

  • 1 CVEs addressed in Precise ESM
  • Recently announced vuln (heap-based buffer overflow) in bash affecting old versions - so most releases unaffected except Precise - can trigger by printing wide characters via echo -e

[USN-4182-1, USN-4182-2] Intel Microcode update [06:12]

  • 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
  • Voltage modulation able to be performed by a local privileged user - disabled via microcode
  • TSX Asynchronous Abort (TAA) - https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915
    • Another variant of MDS but only affects processsors with Transational Synchronization Extensions (TSX)
    • MDS mitigations also can mitigate this - but needs microcode update - associated kernel update too

[USN-4183-1] Linux kernel vulnerabilities [07:58]

[USN-4184-1] Linux kernel vulnerabilities [11:09]

[USN-4185-1, USN-4185-2] Linux kernel vulnerabilities [12:06]

[USN-4186-1, USN-4186-2] Linux kernel vulnerabilities [12:47]

[USN-4187-1] Linux kernel vulnerability [13:48]

[USN-4188-1] Linux kernel vulnerability [13:48]

[LSN-0059-1] Linux kernel vulnerability [14:05]

Goings on in Ubuntu Security Community

20.04 Roadmap Sprint [14:55]

Get in contact