Episode 50
Alex and Joe discuss the big news of this week - the release of Ubuntu 19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt, UW IMAP and more.
Ubuntu Security Podcast · Ubuntu Security Team
October 24, 201923m 48s
Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Overview
Alex and Joe discuss the big news of this week - the release of Ubuntu 19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt, UW IMAP and more.
This week in Ubuntu Security Updates
51 unique CVEs addressed
[USN-4156-2] SDL vulnerabilities [00:37]
- 11 CVEs addressed in Precise ESM, Trusty ESM
- Covered in Episode 49 and Episode 48
[USN-4160-1] UW IMAP vulnerability [01:04]
- 1 CVEs addressed in Xenial, Bionic, Disco
- University of Washington IMAP toolkit (used by PHP for it’s IMAP implementation)
- Used rsh to implement various operations - wouldn’t try and sanitize the
provided hostname - so if attacker could provide a hostname/mailbox to
php’s IMAP without any validation could execute arbitrary commands on the
host
- Fixed by turning off the rsh based functionality by default in PHP - if you still want this you can set imap.enable_insecure_rsh but this is not advised…
[USN-4158-1] LibTIFF vulnerabilities [02:17]
- 2 CVEs addressed in Xenial, Bionic, Disco
- Integer overflow -> heap based buffer overflow -> crash, DoS or code execution
- (Low) Integer overflow due to undefined behaviour in existing overflow checking code when multiplying various elements -> no known way to exploit
[USN-4155-2] Aspell vulnerability [03:13]
- 1 CVEs addressed in Eoan
- Episode 49 covered for older releases - Eoan is now out so updated there too
[USN-4159-1] Exiv2 vulnerability [03:31]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- OOB read -> crash, DoS
[USN-4164-1] Libxslt vulnerabilities [03:44]
- 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- OSS-Fuzz found 3 issues
- possible heap buffer overflow as a result of a dangling pointer - so same memory area could be reused for future memory operations -> fixed to reset the pointer when done
- 2 low priority issues - both stack memory info disclosures
[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]
- 9 CVEs addressed in Bionic (HWE) and Disco
- Integer overflow -> buffer overflow -> root privesc in binder
- Reintroduction of Spectre v1 vulnerability in ptrace subsystem - Brad Spengler - fixed properly in Linus’ tree but not when it got backported to the stable tree - two lines of code got reordered - so load of possible speculative value occurred _after_it had been used - so the speculative load barrier had no effect - Ubuntu regularly backports fixes from the latest stable tree so we ended up affected as well
- Possible DoS (kernel crash) if users can write to /dev/kvm - by default on Ubuntu users don’t have this privilege so generally not affected
- 2 different heap based buffer overflows in Marvell Wifi driver -> occurred when setting parameters for the driver so could be triggered by a local users -> crash, DoS or possible code execution
[USN-4161-1] Linux kernel vulnerability [07:40]
- 1 CVEs addressed in Eoan
- Eoan kernel “0-day” - will discuss with Joe later
[USN-4162-1] Linux kernel vulnerabilities [07:58]
- 10 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic
- SMB based buffer overread if try mounting a share with version specified as 3.0 but the share itself is version 2.10 -> parameter size mismatch -> read of too much memory -> info disclosure
- UAF in RSI 91x Wi-Fi driver -> able to be triggered by a remote network peer -> crash, DoS or possible RCE
- ptrace spectrev1 reissue, KVM crash, Marvell Wifi Driver issues from above
- USB audio issues from Episode 48 (Disco kernel -> now fixed in Bionic kernel as well)
[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]
- 10 CVEs addressed in Xenial and Trusty ESM (HWE)
- Spectrev1 reissue, USB Audio, KVM crash, Marvell and RSI 91x WiFi Driver issues all covered earlier
- Serial attached SCSI implementation mishandled error condition leading to deadlock -> local user could possibly trigger this leading to a DoS
[LSN-0058-1] Linux kernel vulnerability [10:09]
- 22 CVEs addressed in Bionic and Xenial + Xenial (HWE)
- CVE-2019-14835
- CVE-2019-14821
- CVE-2019-14816
- CVE-2019-14815
- CVE-2019-14814
- CVE-2019-14284
- CVE-2019-14283
- CVE-2019-12614
- CVE-2019-11833
- CVE-2019-11478
- CVE-2019-11477
- CVE-2019-10207
- CVE-2019-10126
- CVE-2019-3846
- CVE-2019-2181
- CVE-2019-2054
- CVE-2019-0136
- CVE-2018-21008
- CVE-2018-20976
- CVE-2018-20961
- CVE-2018-20856
- CVE-2016-10905
- Most all covered in previous episodes or previously in this episode
- 2 high priority issues
- vhost_net issue from Episode 47
- SACKPanic from Episode 37
Goings on in Ubuntu Security Community
Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]
- https://twitter.com/sylvia_ritter
- https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-19.10-Kernel-Bug
- Mitigate by installing the latest eoan kernel update or by disabling user namspaces: sysctl user.max_user_namespaces=0