Episode 55

Posted on Monday, Dec 9, 2019
This week we cover security updates for NSS, SQLite, the Linux kernel and more, plus Joe and Alex discuss a recent FBI advisory warning about possible dangers of Smart TVs.

Show Notes

Overview

This week we cover security updates for NSS, SQLite, the Linux kernel and more, plus Joe and Alex discuss a recent FBI advisory warning about possible dangers of Smart TVs.

This week in Ubuntu Security Updates

49 unique CVEs addressed

[USN-4203-1, USN-4203-2] NSS vulnerability [00:59]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • OOB write if using an output buffer smaller than the block size (since used block size instead of buffer size) when writing output for NSC_EncryptUpdate()

[USN-4204-1] psutil vulnerability [02:05]

  • 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • Double free due to mishandling of reference counting when handling errors during conversion of system data into Python objects - could be triggered when using a malicious disk partition label with an invalid character that fails to decode - so triggers error than fails to cleanup properly and results in a double free

[USN-4205-1] SQLite vulnerabilities [02:59]

[USN-4208-1] Linux kernel vulnerabilities [03:42]

  • 12 CVEs addressed in Bionic (gcp-edge), Eoan (5.3 kernel)
  • Buffer overflow in wifi driver stack - able to be triggered by a remote user in wifi range
  • Ubuntu specific OverlayFS and ShiftFS memory mapped reference counting issue - can be triggered when combined with that when combined with AUFS by a local attacker.
  • Memory leak based denial of service issues in various drivers (usually during error conditions so unlikely to ever be hit in real use or able to be easily triggered by malicious local users):
    • AMD Display Engine
    • Qualcomm FastRPC
    • Cascoda CA8210 SPI 802.15.4 wireless controller
    • AMD Audio CoProcessor
    • Intel OPA Gen1 Infiniband
    • ADIS16400 IIO IMU
    • VirtualBox guest
    • ARM Komeda display

[USN-4209-1] Linux kernel vulnerabilities [06:07]

  • 3 CVEs addressed in Bionic (HWE), Disco (5.0 kernel)
  • Memory leak in Netronome NFP4000/NFP6k000 driver
  • Buffer overflow via 802.11 wifi config interface - local user onlu
  • OverlayFS/ShiftFS issue above

[USN-4210-1] Linux kernel vulnerabilities [06:47]

[USN-4211-1, USN-4211-2] Linux kernel vulnerabilities [07:22]

  • 3 CVEs addressed in Xenial, Trusty ESM (Xenial HWE)
  • Wifi stack remote user buffer overflow
  • Infinite loop in the CFS scheduler able to be triggered by a local user -> DoS

[USN-4206-1] GraphicsMagick vulnerabilities [07:55]

[USN-4207-1] GraphicsMagick vulnerabilities [09:18]

[USN-4194-2] postgresql-common vulnerability [09:29]

[USN-4182-3, USN-4182-4] Intel Microcode regression [09:44]

Goings on in Ubuntu Security Community

Joe and Alex discuss a recent FBI Advisory concerning SmartTVs [10:50]

Get in contact