Ubuntu Security Podcast

Episode 107

Listen Later
Overview

This week we check on the status of the pending GRUB2 Secure Boot updates

and detail some open positions within the team, plus we look at security
updates for GLib, zstd, Go, Git and more.

This week in Ubuntu Security Updates

7 unique CVEs addressed

[USN-4757-2] wpa_supplicant and hostapd vulnerability [00:45]
  • 1 CVEs addressed in Trusty ESM (14.04 ESM)
    • CVE-2021-27803
    • P2P/wifi direct UAF -> crash, RCE from Episode 106
      • [USN-4733-2] GNOME Autoar regression [01:23]
      • Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
      • Episode 104 - upstream patch caused a regression such that folders within
        • the archive may fail to be extracted - once noticed and fixed by upstream
        we have now included this too
        [USN-4759-1] GLib vulnerabilities [02:06]
        • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
          • CVE-2021-27219
          • CVE-2021-27218
          • Possible integer overflow when allocation memory due to implicit cast
            • from a 64-bit long to a 32-bit int when allocating memory - g_memdup()
            function takes an 32-bit int argument but is called by g_bytes_new()
            which takes a gsize 64-bit argument. Ends up allocating much less memory
            than expected, then later when this is copied into a buffer overflow can
            occur.
          • Since g_memdup() is a public API, can’t just change it to take a gsize as
            • argument since this would break the ABI - so instead added g_memdup2()
            and converted internal callers to use this - but other applications
            should think about porting to this new API to avoid this sort of issue
            (and audit their own code to check they don’t have similar implicit
            integer overflow issues)
            [USN-4760-1] libzstd vulnerabilities [04:44]
            • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
              • CVE-2021-24032
              • CVE-2021-24031
              • Files created with default permissions - so was patched to chmod() so
                • only owner could read/write them
              • But this introduced a race condition where the file initially still has
                • the default permissions so a different user could potentially access it
                during that time until the chmod() call is made - so was deemed an
                incomplete fix for the first CVE - second CVE allocated for this
                incomplete fix - instead changed to set umask() before creating the file
                in the first place so permissions get set properly at creation
                [USN-4758-1] Go vulnerability [05:41]
                • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
                  • CVE-2020-24553
                  • Possible XSS issue in CGI and FastCGI impl since go would treat non-HTML
                    • data as HTML and so would return a text/html content-type which would
                    then be served as such by the webserver even if it had been uploaded with
                    a different content type
                  • Thanks to Dariusz Gadomski from SEG team for preparing these fixes (since
                    • these versions of golang are in universe on these Ubuntu releases)
                    [USN-4761-1] Git vulnerability [06:59]
                    • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
                      • CVE-2021-21300
                      • Possible code execution by local git client when cloning a malicious
                        • remote repository - local client would need a git filter to be
                        installed - like git LFS - and would have to be on a case-insensitive
                        file-system - so would be a more common scenario for Windows users but
                        unlikely to affect Linux users - patched anyway
                        Goings on in Ubuntu Security Community
                        GRUB2 updates still in progress [08:54]
                        • Still being tested internally by our hardware certification lab and
                          • others and some minor tweaks being made, plus shim devel work is still
                          ongoing, thanks to Dimitri John Ledkov from Foundations team for handling
                          that work, as well as all the one-grub work too
                          Hiring [09:53]
                          AppArmor Security Engineer
                          • https://canonical.com/careers/2114847/apparmor-security-engineer-remote
                            • Ubuntu Security Engineer
                            • https://canonical.com/careers/2612092/ubuntu-security-engineer-remote
                              • Security Engineer - Ubuntu
                              • https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
                                • Get in contact
                                • [email protected]
                                • #ubuntu-security on the Libera.Chat IRC network
                                • ubuntu-hardened mailing list
                                • Security section on discourse.ubuntu.com
                                • @ubuntu_sec on twitter
                                  • ...more
                                  View all episodesView all episodes
                                  Download on the App Store
                                  Ubuntu Security PodcastBy Ubuntu Security Team
                                  • 4.8
                                  • 4.8
                                  • 4.8
                                  • 4.8
                                  • 4.8

                                  4.8

                                  10 ratings