Episode 54
Posted on Sunday, Nov 24, 2019
Security updates for DPDK, Linux kernel, QEMU, ImageMagick, Ghostscript and
more, plus Joe and Alex talk about how to get into information security.
Show Notes
Overview
Security updates for DPDK, Linux kernel, QEMU, ImageMagick, Ghostscript and more, plus Joe and Alex talk about how to get into information security.
This week in Ubuntu Security Updates
89 unique CVEs addressed
[USN-4189-1] DPDK vulnerability [01:00]
- 1 CVEs addressed in Bionic, Disco, Eoan
- Data Plane Development Kit - Memory and file-descriptor leak, able to be triggered by a malicious master or a container with access to the vhost_user socket
[USN-4190-1] libjpeg-turbo vulnerabilities [01:41]
- 4 CVEs addressed in Xenial, Bionic, Disco
- 2 x heap-buffer overflow - crash or possible RCE
- 2 x heap-buffer overread - crash
[USN-4183-2] Linux kernel vulnerability [02:48]
- 9 CVEs addressed in Eoan
- Episode 53 - Extra update for CVE-2019-0155 (i915 blitter command streamer) - previous one was based on an in-flight patch that got changed at the last minute before the CRD - part of this fix is to whitelist certain commands to the command-streamer, and this is done via a bitmask - this used a memset() to zero it out but assumed the size of the underlying data was 32-bit - so on 64-bit platforms this becomes a 64-bit size and so half the bitmask is not zeroed out - meaning the whitelist may be able to be bypassed - this fix includes the final upstream fix
[USN-4184-2] Linux kernel vulnerability and regression [04:37]
- 14 CVEs addressed in Bionic (HWE), Disco
- See above (i915 vuln) - but also includes a fix for a regression that was introduced in last week’s kernel - KVM guests would fail to launch if extended page tables were disabled or not supported.
[USN-4185-3] Linux kernel vulnerability and regression [05:05]
- 11 CVEs addressed in Xenial (HWE), Bionic
- See above (both i915 vuln and KVM regression)
[USN-4186-3] Linux kernel vulnerability [05:22]
- 13 CVEs addressed in Xenial
- i915 vuln
[USN-4191-1, USN-4191-2] QEMU vulnerabilities [05:32]
- 5 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
- Heap buffer overflow and UAF in SLiRP networking implementation - DoS + possible code exec
- Bridge helper didn’t validate interface names to be within IFNAMSIZ - could be used to bypass ACL restrictions
- NULL pointer dereference in qxl paravirtual graphics driver - DoS
- Possible CPU based DoS via an infinite loop able to be triggered in the LSI SCSI adaptor emulator
[USN-4192-1] ImageMagick vulnerabilities [06:48]
- 30 CVEs addressed in Xenial, Bionic, Disco, Eoan
- CVE-2019-16713
- CVE-2019-16711
- CVE-2019-16710
- CVE-2019-16709
- CVE-2019-16708
- CVE-2019-15140
- CVE-2019-15139
- CVE-2019-14981
- CVE-2019-13454
- CVE-2019-13391
- CVE-2019-13311
- CVE-2019-13310
- CVE-2019-13309
- CVE-2019-13308
- CVE-2019-13307
- CVE-2019-13306
- CVE-2019-13305
- CVE-2019-13304
- CVE-2019-13301
- CVE-2019-13300
- CVE-2019-13297
- CVE-2019-13295
- CVE-2019-13137
- CVE-2019-13135
- CVE-2019-12979
- CVE-2019-12978
- CVE-2019-12977
- CVE-2019-12976
- CVE-2019-12975
- CVE-2019-12974
- Usual raft of issues - DoS, RCE etc - in various image decoders etc - so just need to display or process a malicious image via ImageMagick to trigger - interestingly, seems to be noticed - some applications (Emacs) chose not to automatically link against and use ImageMagick now as a result of all the various vulnerablilties which keep being found in it…
[USN-4193-1] Ghostscript vulnerability [08:13]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Another -dSAFER bypass - newest Ghostscript is not affected since it rewrote the SAFER sandbox - but older versions are - allows a malicious postscript file to bypass the sandbox and access files or execute commands etc.
[USN-4194-1] postgresql-common vulnerability [09:17]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Privesc via arbitrary directory creation through the pg_ctlcluster command - allows to create a dir as postgres user - say /usr/lib/sudo/haswell - then dump a shared lib there which will be loaded by sudo to gain a root shell - by specifying this as the stats_temp_directory in the config
- Interesting but requires ability to configure and run as postgres
[USN-4195-1] MySQL vulnerabilities [11:07]
- 29 CVEs addressed in Xenial, Bionic, Disco, Eoan
- CVE-2019-3018
- CVE-2019-3011
- CVE-2019-3009
- CVE-2019-3004
- CVE-2019-3003
- CVE-2019-2998
- CVE-2019-2997
- CVE-2019-2993
- CVE-2019-2991
- CVE-2019-2982
- CVE-2019-2974
- CVE-2019-2969
- CVE-2019-2968
- CVE-2019-2967
- CVE-2019-2966
- CVE-2019-2963
- CVE-2019-2960
- CVE-2019-2957
- CVE-2019-2950
- CVE-2019-2948
- CVE-2019-2946
- CVE-2019-2938
- CVE-2019-2924
- CVE-2019-2923
- CVE-2019-2922
- CVE-2019-2920
- CVE-2019-2914
- CVE-2019-2911
- CVE-2019-2910
- Multiple issues fixed in MySQL - updated to 8.0.18 in eoan, whilst in xenial, bionic and disco - 5.7.28 - for more details see upstream notices
[USN-4196-1] python-ecdsa vulnerabilities [11:42]
- 2 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Issues in handling DER encoding of signatures - failed to verify proper DER encoding but also might raise exceptions unexpectedly on valid input so would cause a DoS