Episode 7

Show Notes

Overview

This week we look at some details of the 78 unique CVEs addressed across the supported Ubuntu releases including more GhostScript, ImageMagick, WebKitGTK, Linux kernel and more.

This week in Ubuntu Security Updates

78 unique CVEs addressed

[USN-3773-1] Ghostscript vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-17183
  • CVE-2018-16510
• Similar to [USN-3768-1] from Episode 5

[USN-3769-2] Bind vulnerability

• 1 CVEs addressed in Precise ESM
  • CVE-2018-5740
• Extended Security Maintenance version of [USN-3769-1]

[USN-3774-1] strongSwan vulnerability

• 1 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-17540
• [USN-3771-1] incorporated fixes for multiple CVEs - but these fixes themselves introduced this new vulnerability
• Heap buffer overflow found by Google’s OSS-Fuzz leading to DoS for gmp plugin

[USN-3775-1, USN-3775-2, USN-3776-1, USN-3776-2, USN-3777-1, USN-3777-2] Linux kernel vulnerabilities

• 11 CVEs addressed across Precise ESM, Trusty, Xenial and Bionic including HWE kernels
  • CVE-2018-6555
  • CVE-2018-6554
  • CVE-2018-14633
  • CVE-2018-14634
  • CVE-2018-15572
  • CVE-2018-15594
  • CVE-2018-16276
  • CVE-2018-10902
  • CVE-2018-10853
  • CVE-2017-18216
  • CVE-2018-17182
• Not all CVEs affect all releases
• Includes:
  • UAF and memory leak -> DoS in IRDA
  • Stack buffer overwrite in iSCSI - low chance of privilege escalation
  • Integer overflow leading to possible privilege escalation but only on machines with >32GB RAM
  • Insufficiencies discovered in various Spectre variant mitigations previously deployed
  • Incorrect bounds checking in yurex USB driver from userspace -> crash / privilege escalation for local user
  • Race condition in midi driver - double free -> privilege escalation
  • KVM hypervisor instruction emulation fail to check privileges - privilege escalation inside guest
  • OCFS2 file-system driver NULL pointer dereference -> BUG (mutex logic bug)
  • Memory management sequence number overflow leading to UAF -> possible privilege escalation - Jann Horn (GPZ)

[USN-3780-1] HAProxy vulnerability

• 1 CVEs addressed in Bionic
  • CVE-2018-14645
• Out of bounds read leading to remote crash -> DoS

[USN-3781-1] WebKitGTK+ vulnerabilities

• 24 CVEs addressed in Bionic
  • CVE-2018-4361
  • CVE-2018-4359
  • CVE-2018-4358
  • CVE-2018-4328
  • CVE-2018-4323
  • CVE-2018-4319
  • CVE-2018-4318
  • CVE-2018-4317
  • CVE-2018-4316
  • CVE-2018-4315
  • CVE-2018-4314
  • CVE-2018-4312
  • CVE-2018-4311
  • CVE-2018-4309
  • CVE-2018-4306
  • CVE-2018-4299
  • CVE-2018-4213
  • CVE-2018-4212
  • CVE-2018-4210
  • CVE-2018-4209
  • CVE-2018-4208
  • CVE-2018-4207
  • CVE-2018-4197
  • CVE-2018-4191
• Used by many GNOME applications to render web content (Epiphany, Evolution, Boxes, GThumb, Buidler, Empathy, etc)
• Many issues fixed in this release including, XSS, DoS, RCE etc

[USN-3782-1] Liblouis vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-17294
  • CVE-2018-12085

[USN-3778-1] Firefox vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-12387
  • CVE-2018-12386
  • CVE-2018-12385
• Firefox 62 release - includes fixes for RCE, local cache poisoning and information disclosures

[USN-3783-1] Apache HTTP Server vulnerabilities

• 3 CVEs addressed in Bionic
  • CVE-2018-11763
  • CVE-2018-1333
  • CVE-2018-1302
• DoS (crash) via incorrect stream destruction and DoS (resources) from incorrect frame handling

[USN-3785-1] ImageMagick vulnerabilities

• 14 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2017-13144
  • CVE-2018-16749
  • CVE-2018-16645
  • CVE-2018-16644
  • CVE-2018-16643
  • CVE-2018-16642
  • CVE-2018-16323
  • CVE-2018-14551
  • CVE-2018-16750
  • CVE-2018-16640
  • CVE-2018-14437
  • CVE-2018-14436
  • CVE-2018-14435
  • CVE-2018-14434
• Disables support for using PS and PDF from Ghostscript in ImageMagick due to large number of GS vulns (see Episode 5)
• Also multiple fixes for ImageMagick itself, including memory leaks (DoS), information disclosure, RCE etc

[USN-3784-1] AppArmor update

• Hardening of various AppArmor profiles (mentioned in Episode 5)

[LSN-0044-1] Linux kernel vulnerability

• Livepatch incorporating L1TF, Spectrev2 and other fixes as well

[USN-3786-1] libxkbcommon vulnerabilities

• 11 CVEs addressed in Trusty, Xenial
  • CVE-2018-15864
  • CVE-2018-15863
  • CVE-2018-15862
  • CVE-2018-15861
  • CVE-2018-15859
  • CVE-2018-15858
  • CVE-2018-15857
  • CVE-2018-15856
  • CVE-2018-15855
  • CVE-2018-15854
  • CVE-2018-15853
• Loads keyboard descriptions from disk - multiple vulnerabilities in file format handling leading to DoS etc

[USN-3787-1] Tomcat vulnerability

• 1 CVEs addressed in Trusty, Xenial
  • CVE-2018-11784
• Redirect handling allowed attacker to redirect to any URI of their choice
• Can be avoided if had manually enabled both mapperDirectoryRedirectEnabled and mapperContextRootRedirectEnabled

[USN-3789-1] ClamAV vulnerability

• 1 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-15378
• Crash in handling of unpacked MEW executable files

[USN-3788-1] Tex Live vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-17407
  • CVE-2015-5700
• File overwrite via insecure symlink handling
• Code execution via buffer overflow in Type1 font handler

[USN-3791-1] Git vulnerability

• 1 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-17456
• RCE when cloning a malicious repository - due to insufficient validation of git submodule URLs and paths.

Goings on in Ubuntu Security Community

Hiring

Ubuntu Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1158266

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter