Episode 90

Posted on Friday, Sep 11, 2020
This week we look at security updates for the X server, the Linux kernel and GnuTLS plus we preview the upcoming AppArmor3 release that is slated for Ubuntu 20.10 (Groovy Gorilla).

Show Notes

Overview

This week we look at security updates for the X server, the Linux kernel and GnuTLS plus we preview the upcoming AppArmor3 release that is slated for Ubuntu 20.10 (Groovy Gorilla).

This week in Ubuntu Security Updates

20 unique CVEs addressed

[USN-4487-1, USN-4487-2] libx11 vulnerabilities [00:58]

  • 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • 2 privilege escalation attacks
    • integer overflow -> double free -> memory corruption
    • integer overflow -> heap buffer overflow
    • privilege escalation may be possible since in both cases could cause arbitrary code exec with a binary that is using libX11 and running with root privileges (setuid / sudo etc) - this is why we often advise don’t run graphical applications via sudo etc

[USN-4488-1, USN-4490-1] X.Org X Server vulnerabilities [02:29]

[USN-4449-2] Apport vulnerabilities [03:28]

[USN-4474-2] Firefox regressions [03:38]

[USN-4489-1] Linux kernel vulnerability [04:09]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • AF_PACKET (layer 2) socket did not perform bounds checks in some places - requires CAP_NET_RAW or root - BUT can be root in a user namespace and these are enabled by default in Ubuntu and other Linux distros -> can disable by sysctl `kernel.unprivileged_userns_clone=0`

[USN-4491-1] GnuTLS vulnerability [06:01]

  • 1 CVEs addressed in Focal (20.04 LTS)
  • Malicious server can trigger a NULL ptr deref in client during TLS 1.3 negotiation - DoS

Goings on in Ubuntu Security Community

AppArmor3 slated for Ubuntu 20.10 [06:32]

  • Beta version of AppArmor3 is being prepared for Ubuntu 20.10 Groovy Gorilla - should land in -proposed next week and then main soon after
  • Provides ABI feature pinning - so upgrading to kernels with newer additional features will not break existing profiles
  • Rewrites of a number of tools into different languages to make their use and packaging easier
  • Support for new kernel features such as v8 ABI network socket rules, xattr attachment conditionals, PERFMON and BPF capabilities
  • Improved compilar warnings and semantic checks
  • Improved support for kernels that support LSM stacking
  • Profile modes - enforce (default), kill and unconfined

Get in contact