Episode 74

Posted on Friday, May 15, 2020
Special guest, Tim McNamara, author of Rust In Action talks all things Rust plus we look at security updates for Linux bluetooth firmware, OpenLDAP, PulseAudio, Squid and more.

Show Notes

Overview

Special guest, Tim McNamara, author of Rust In Action talks all things Rust plus we look at security updates for Linux bluetooth firmware, OpenLDAP, PulseAudio, Squid and more.

This week in Ubuntu Security Updates

17 unique CVEs addressed

[USN-4351-1] Linux firmware vulnerability [01:03]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • Bluetooth devices failed to properly validate elliptic curve parameters used in key exchange - remote attacker could possibly force a weak key to be used and hence obtain the encryption key. Required changes to both the kernel and firmware blobs - kernel was updated previously (Episode 43) - this is the corresponding update for firmware

[USN-4352-1, USN-4352-2] OpenLDAP vulnerability [02:05]

  • 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • A search filter with a large number of nested boolean expressions could cause slapd daemon to crash via deep stack recursion - add a hard coded limit to resolve this

[USN-4353-1] Firefox vulnerabilities [02:46]

[USN-4353-2] Firefox regression [03:34]

[USN-4354-1] Mailman vulnerability [03:51]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

    • CVE-2020-12108
    • Arbitrary content injection via options login page - if the submitted

    email address looking invalid it would be echo’d back to the user - and so anything supplied as the email address would be displayed

[USN-4355-1] PulseAudio vulnerability [04:23]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • Snap policy module for pulseaudio - only exists in Ubuntu - is designed to allow snapd to mediate access to pulseaudio for snaps - so if plug pulseaudio (or audio-playback / record) interface(s) can talk to pulseaudio but then should only be able to do certain actions - however the policy did not restrict unloading the policy module itself so any snap with access could unload the policy and then have unrestricted access to pulseaudio - so could say record audio when only audio-playback interface was connected.

[USN-4357-1] IPRoute vulnerability [05:39]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • UAF when listing network namespaces (ip netns list)

[USN-4356-1] Squid vulnerabilities [05:59]

  • 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • Possible cache poisoning, crash or RE from malicious remote servers via Edge Side Includes
  • Failure to properly validate hostname in cachemanager for certain browsers -> HTML injection
  • Nonce reply due to failure to properly validate Digest Authentication nonce values

[USN-3911-2] file regression [06:40]

  • Affecting Xenial (16.04 LTS), Bionic (18.04 LTS)
  • Episode 25 - USN-3911-1 - update for file caused a regression where the name of the interpreter parsed by file would be truncated and so the output would be incorrect - used sizeof(var) - but var is a char * and so sizeof() is size of a pointer - should instead be the length of the string - updated to use strlen(var) +1

Goings on in Ubuntu Security Community

Alex talks Rust with Tim McNamara [08:14]

Get in contact