با برنامه Player FM !
Episode 191
Manage episode 358810554 series 2423058
Overview
This week saw the unexpected release of Ubuntu 20.04.6 so we go into the detail behind that, plus we talk Everything Open and we cover security updates including Emacs, LibreCAD, Python, vim and more.
This week in Ubuntu Security Updates
82 unique CVEs addressed
[USN-5955-1] Emacs vulnerability [00:50]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- htmlfontify package would try and validate whether a given file is text by calling
file
on it - but would fail to escape the filename - so if a user could be tricked into runninghtmlfontify-copy-and-link-dir
on a crafted directory, could get code execution in the context of emacs - Unlikely to be an issue in practice, also there doesn’t appear to be any users of this function on github (other than references to the documentation for it)
[USN-5956-1, USN-5956-2] PHPMailer vulnerabilities [02:03]
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- email sending library for PHP
- similarly, possible RCE since could possibly inject commands that would be passed to the shell when executing the underlying
mail
command - original patch didn’t fix properly so second CVE was issued for the fix
[USN-5957-1] LibreCAD vulnerabilities [02:58]
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Various memory corruption issues when parsing DXF, DWG, DRW or JWW files
- OOB writes, UAFs, NULL ptr deref - RCE / DoS
[USN-5855-2] ImageMagick vulnerabilities [03:37]
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5958-1] FFmpeg vulnerabilities [03:45]
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- 2 NULL ptr derefs and 2 OOB reads -> DoS
[USN-5954-1] Firefox vulnerabilities [03:59]
- 9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 111.0
- usual mix of issues for web engines (DoS, info leak across domains, RCE) if visited a malicious website
- memory corruption, plus a few logic issues that could be used to either cause firefox to leak local information back to the web server or spoof parts of the UI etc
[USN-5961-1] abcm2ps vulnerabilities
- 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5962-1] Linux kernel (Intel IoTG) vulnerabilities [04:47]
- 18 CVEs addressed in Jammy (22.04 LTS)
- two high priority issues
- netfilter mishandling of vlan headers - OOB write -> crash / RCE
- UAF in upper-level protocol subsystem - can be triggered by local user - similarly, crash / RCE
[USN-5959-1] Kerberos vulnerabilities [05:32]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- NULL ptr derefs -> crash in kerberos daemon -> DoS
[USN-5960-1] Python vulnerability [05:51]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- possibly to bypass blocklists in
urllib.parse()
simply by prefixing the URL with a space - blocklisting is not part of upstream functionality but often would be implemented in application / library logic by first usingurlparse()
to parse the given URL - if prefixed with a space then can geturlparse()
to fail to return the correct scheme/hostname - can workaround simply by first callingstrip()
on URL - apparently upstream still discussing whether the current fix is sufficient so watch this space
[USN-5963-1] Vim vulnerabilities [07:14]
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- moar vim vulns from bug-bounty - all found via fuzzing of vim - all memory corruption vulns -> DoS / RCE
[USN-5964-1] curl vulnerabilities [07:41]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- various connection reuse issues - eg. would reuse an SSH connection even if caller had changed an SSH option - similar for FTP.
- mishandling of ~ in SFTP could then allow access to unintended files (would expand even if not the first part of the path)
[USN-5806-3] Ruby vulnerability [08:43]
- 1 CVEs addressed in Focal (20.04 LTS)
[USN-5965-1] TigerVNC vulnerability [08:53]
- 1 CVEs addressed in Focal (20.04 LTS)
- when processing a TLS certificate, would store that internally as a certificate authority - then if client connected to a different server would use that stored cert as a CA cert to validate the new server - could then allow a malicious server to impersonate other servers
[USN-5904-2] SoX regression [09:35]
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Fix for one of the vulns fixed in the original update was incomplete
Goings on in Ubuntu Security Community
Ubuntu 20.04.6 LTS Released [09:49]
- https://lists.ubuntu.com/archives/ubuntu-announce/2023-March/000287.html
- https://wiki.ubuntu.com/FocalFossa/ReleaseSchedule
- Wasn’t originally planned to be released
Unlike previous point releases, 20.04.6 is a refresh of the amd64 installer media after recent key revocations, re-enabling their usage on Secure Boot enabled systems.
Many other security updates for additional high-impact bug fixes are also included, with a focus on maintaining stability and compatibility with Ubuntu 20.04 LTS.
- TL;DR - recent vulnerabilities in shim and grub meant that we revoked those old versions such that they would not boot anymore if updates had been installed - so if wanted to reinstall using the 20.04.5 media it would fail to boot. Can prove this to yourself:
cat /sys/firmware/efi/efivars/SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23
sbat,1,2022052400 grub,2
objdump -j .sbat -s grubx64.efi
Ubuntu Security at Everything Open 2023 [12:02]
- https://ubuntu.com/blog/everything-open-2023-in-melbourne
- https://2023.everythingopen.au/schedule/presentation/64/
- Presented about how the Ubuntu Security keeps Ubuntu secure and also gave advice on how you can improve the security of your own open source projects
Get in contact
241 قسمت
Manage episode 358810554 series 2423058
Overview
This week saw the unexpected release of Ubuntu 20.04.6 so we go into the detail behind that, plus we talk Everything Open and we cover security updates including Emacs, LibreCAD, Python, vim and more.
This week in Ubuntu Security Updates
82 unique CVEs addressed
[USN-5955-1] Emacs vulnerability [00:50]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- htmlfontify package would try and validate whether a given file is text by calling
file
on it - but would fail to escape the filename - so if a user could be tricked into runninghtmlfontify-copy-and-link-dir
on a crafted directory, could get code execution in the context of emacs - Unlikely to be an issue in practice, also there doesn’t appear to be any users of this function on github (other than references to the documentation for it)
[USN-5956-1, USN-5956-2] PHPMailer vulnerabilities [02:03]
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- email sending library for PHP
- similarly, possible RCE since could possibly inject commands that would be passed to the shell when executing the underlying
mail
command - original patch didn’t fix properly so second CVE was issued for the fix
[USN-5957-1] LibreCAD vulnerabilities [02:58]
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Various memory corruption issues when parsing DXF, DWG, DRW or JWW files
- OOB writes, UAFs, NULL ptr deref - RCE / DoS
[USN-5855-2] ImageMagick vulnerabilities [03:37]
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5958-1] FFmpeg vulnerabilities [03:45]
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- 2 NULL ptr derefs and 2 OOB reads -> DoS
[USN-5954-1] Firefox vulnerabilities [03:59]
- 9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 111.0
- usual mix of issues for web engines (DoS, info leak across domains, RCE) if visited a malicious website
- memory corruption, plus a few logic issues that could be used to either cause firefox to leak local information back to the web server or spoof parts of the UI etc
[USN-5961-1] abcm2ps vulnerabilities
- 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5962-1] Linux kernel (Intel IoTG) vulnerabilities [04:47]
- 18 CVEs addressed in Jammy (22.04 LTS)
- two high priority issues
- netfilter mishandling of vlan headers - OOB write -> crash / RCE
- UAF in upper-level protocol subsystem - can be triggered by local user - similarly, crash / RCE
[USN-5959-1] Kerberos vulnerabilities [05:32]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- NULL ptr derefs -> crash in kerberos daemon -> DoS
[USN-5960-1] Python vulnerability [05:51]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- possibly to bypass blocklists in
urllib.parse()
simply by prefixing the URL with a space - blocklisting is not part of upstream functionality but often would be implemented in application / library logic by first usingurlparse()
to parse the given URL - if prefixed with a space then can geturlparse()
to fail to return the correct scheme/hostname - can workaround simply by first callingstrip()
on URL - apparently upstream still discussing whether the current fix is sufficient so watch this space
[USN-5963-1] Vim vulnerabilities [07:14]
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- moar vim vulns from bug-bounty - all found via fuzzing of vim - all memory corruption vulns -> DoS / RCE
[USN-5964-1] curl vulnerabilities [07:41]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- various connection reuse issues - eg. would reuse an SSH connection even if caller had changed an SSH option - similar for FTP.
- mishandling of ~ in SFTP could then allow access to unintended files (would expand even if not the first part of the path)
[USN-5806-3] Ruby vulnerability [08:43]
- 1 CVEs addressed in Focal (20.04 LTS)
[USN-5965-1] TigerVNC vulnerability [08:53]
- 1 CVEs addressed in Focal (20.04 LTS)
- when processing a TLS certificate, would store that internally as a certificate authority - then if client connected to a different server would use that stored cert as a CA cert to validate the new server - could then allow a malicious server to impersonate other servers
[USN-5904-2] SoX regression [09:35]
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Fix for one of the vulns fixed in the original update was incomplete
Goings on in Ubuntu Security Community
Ubuntu 20.04.6 LTS Released [09:49]
- https://lists.ubuntu.com/archives/ubuntu-announce/2023-March/000287.html
- https://wiki.ubuntu.com/FocalFossa/ReleaseSchedule
- Wasn’t originally planned to be released
Unlike previous point releases, 20.04.6 is a refresh of the amd64 installer media after recent key revocations, re-enabling their usage on Secure Boot enabled systems.
Many other security updates for additional high-impact bug fixes are also included, with a focus on maintaining stability and compatibility with Ubuntu 20.04 LTS.
- TL;DR - recent vulnerabilities in shim and grub meant that we revoked those old versions such that they would not boot anymore if updates had been installed - so if wanted to reinstall using the 20.04.5 media it would fail to boot. Can prove this to yourself:
cat /sys/firmware/efi/efivars/SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23
sbat,1,2022052400 grub,2
objdump -j .sbat -s grubx64.efi
Ubuntu Security at Everything Open 2023 [12:02]
- https://ubuntu.com/blog/everything-open-2023-in-melbourne
- https://2023.everythingopen.au/schedule/presentation/64/
- Presented about how the Ubuntu Security keeps Ubuntu secure and also gave advice on how you can improve the security of your own open source projects
Get in contact
241 قسمت
همه قسمت ها
×به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.