Episode 103

This week we take a deep dive look at 2 recent vulnerabilities in the popular application containerisation frameworks, snapd and flatpak, plus we cover security updates for MiniDLNA, PHP-PEAR, the Linux kernel and more.

Ubuntu Security Podcast · Ubuntu Security Team

February 12, 202113m 14s

Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Overview

This week in Ubuntu Security Updates

26 unique CVEs addressed

[USN-4720-2] Apport vulnerabilities [00:53]

3 CVEs addressed in Trusty ESM (14.04 ESM)
Episode 102

[USN-4721-1] Flatpak vulnerability [01:06]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- CVE-2021-21261
Flatpak sandbox escape - Flatpak isolates applications inside their own mount / user / etc namespaces - allows sandboxed applications to communicate with the host via various portals - ie. open a file via a file chooser portal (aka powerbox)
Portal D-Bus service provides the ability to launch other subprocesses in a new sandbox instance, following a NNP model (ie same or less privileges as caller) (eg. used by sandboxed webbrowers to process untrusted content inside less privileged subprocesses)
Would previous allow a confined process to specify various environment variables which would then get passed to the `flatpak run` command to launch the new subprocess in its own sandbox - so fix is to sanitize environment variables

[USN-4722-1] ReadyMedia (MiniDLNA) vulnerabilities [01:11]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- CVE-2020-28926
- CVE-2020-12695
Possible RCE via malicious UPnP requests - could send with chunked encoding, this would exploit a signdness bug leading to a heap buffer overflow
Episode 91 - “CallStranger” - UPnP spec didn’t forbid subscription requests with a URL on a different network segment - could allow an attacker to cause a miniDLNA server to DoS a different endpoint

[USN-4723-1] PEAR vulnerability [02:30]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- CVE-2020-36193
Improper handling of symlinks in archives could result in arbitrary file overwrite via directory traversal - since PHP PEAR runs installer as root, could then overwrite arbitrary files as root and priv esc / code execution etc

[USN-4724-1] OpenLDAP vulnerabilities [03:14]

10 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Various issues

[USN-4725-1] QEMU vulnerabilities [03:20]

6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Usual sorts of issues in device emulation etc resulting in info disclosure from host to guest or a crash of qemu host process etc

[USN-4717-2] Firefox regression [03:55]

Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Upstream Firefox regression - 85.0.1

[USN-4726-1] OpenJDK vulnerability [04:04]

Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Not much info from upstream on this one - “incorrectly handled direct buffering of characters” -> DoS or other unspecified impact

[USN-4713-2] Linux kernel vulnerability [04:22]

1 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS)
- CVE-2020-28374
Episode 102 - LIO SCSI XCOPY issue

[USN-4727-1] Linux kernel vulnerability [04:36]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- CVE-2021-26708
AF_VSOCK race conditions - local user could get code execution as root via memory corruption

[USN-4728-1] snapd vulnerability [05:11]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- CVE-2020-27352
Gilad Reti & Nimrod Stoler from CyberArk
Thanks to Ian Johnson from snapd team for working on the fix

Get in contact

← All episodes of Ubuntu Security Podcast