PLAY PODCASTS
Episode 162

Episode 162

This week we cover security updates for dpkg, logrotate, GnuPG, CUPS, InfluxDB and more, plus we take a quick look at some open positions on the team - come join us!

Ubuntu Security Podcast · Ubuntu Security Team

June 3, 202215m 38s

Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Overview

This week we cover security updates for dpkg, logrotate, GnuPG, CUPS, InfluxDB and more, plus we take a quick look at some open positions on the team - come join us!

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-5446-1, USN-5446-2] dpkg vulnerability [00:42]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Directory traversal vulnerability when extracting untrusted source packages
    • debian source packages consist of two tarballs - orig and debian
    • orig is unpacked and then debian in unpacked on top of that - if orig is crafted to contain a symlink which pointed to a file outside of the source code, then when unpacking debian it will follow that symlink and hence would overwrite arbitrary files outside the source directory
    • Only really a problem for debian/ubuntu developers

[USN-5447-1] logrotate vulnerability [02:58]

  • 1 CVEs addressed in Impish (21.10), Jammy (22.04 LTS)
  • logrotate creates a ‘state’ file to avoid parallel executions of itself - each instance locks this file as a mutex mechanism
  • if this doesn’t exist, it gets created - but is created world readable - which allows unprivileged users to take the lock on this file
  • as such the real logrotate will fail to run since it can’t get the lock -> DoS

[USN-5402-2] OpenSSL vulnerabilities [04:13]

[USN-5448-1] ncurses vulnerabilities [04:21]

[USN-5449-1] libXv vulnerability [04:58]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Remove X server could trigger OOB read in the X client via crafted response -> crash -> DoS

[USN-5431-1] GnuPG vulnerability [04:24]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • Weakness in PGP/SKS keyserver design - if a key/certificate has many signatures, GnuPG will take an inordinate amount of time to process these when downloading the key from the keyserver -> DoS
    • Certificate spamming attack - anyone can sign someone else’s cert thereby attaching another signature to it on the SKS keyserver network
    • The OpenPGP spec doesn’t limit the number of signatures (but SKS keyserver network does - 150k)
    • So anyone can poison someone else’s cert by attaching a large number of signatures to it
    • GnuPG would download all of these signatures when importing a key and then proceed to validate them all
      • Also would do this when say validating a signature from that poisoned cert
  • Fixed to not import key signatures by default anymore and to then fallback to only import self-signatures on large keyblocks

[USN-5452-1] NTFS-3G vulnerability [07:55]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • ntfsck tool failed to perform proper bounds checking on filesystem metadata - if could trick a user into running it on an untrusted filesystem image could then possibly get code execution
    • Upstream have deprecated this tool and it is only present in the ntfs-3g-dev package which is not installed by default

[USN-5453-1] FreeType vulnerability [08:38]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • OOB read when processing a crafted font file -> DoS

[USN-5454-1, USN-5454-2] CUPS vulnerabilities [08:50]

  • 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Upstream Apple advisory describes this as:
    • “Logic issue addressed with improved state management… An application may be able to gain elevated privileges”
  • Looks like it was discovered by Mandiant
    • CUPS provides the ability to authenticate via Basic Web Authentication or through a 32-byte randomly generated token created at runtime
    • Comparison function would only compare the supplied token value against the real one based on the length of the shortest input - so if supplied an empty string then would compare 0 bytes of the two and return success!
  • Other two issues were memory handling issues in IPP printing - could submit a print job which would cause an OOB read in CUPS -> crash -> DoS

[USN-5451-1] InfluxDB vulnerability [10:39]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Similar authentication bug in InfluxDB - could bypass authentication by supplying a JWT token with an empty SharedSecret

[USN-5442-2] Linux kernel vulnerabilities [11:06]

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 5.4 - GCP/GKE/IBM/Oracle/Raspi
  • Bing-Jhong Billy Jheng found integer overflow in io_uring - an unprivileged user can spam requests which would eventually overflow counter and then could be used to trigger an OOB write -> controlled memory corruption -> privesc
  • Similarly, Jann Horn (GPZ) found kernel didn’t properly check privileges of a process when allowing it to set a flag which would then disable seccomp filters on another process or itself
    • Could then allow an unprivileged process to turn of seccomp for itself / other processes and allow them to bypass intended access restrictions
  • Regular kernel security bug - ref count issue in network queueing subsystem -> UAF - able to be triggered by a local attacker -> crash / code execution

[USN-5443-2] Linux kernel vulnerabilities [12:47]

[USN-5457-1] WebKitGTK vulnerabilities [12:58]

Goings on in Ubuntu Security Community

Hiring

Security Engineer - Ubuntu [13:25]

Security Certifications Product Manager - CIS, FIPS, FedRAMP and more [14:24]

Get in contact

← All episodes of Ubuntu Security Podcast