Ubuntu Security Podcast

Episode 117

Listen Later
Overview

This week we’re talking about moving IRC networks plus security updates for Pillow, Babel, Apport, X11 and more.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-4963-1] Pillow vulnerabilities [00:55]
  • 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
    • CVE-2021-28678
    • CVE-2021-28677
    • CVE-2021-28676
    • CVE-2021-28675
    • CVE-2021-25288
    • CVE-2021-25287
    • Python image handling library - used by many other packages for their
      • image handling
    • All DoS issues via OOB read and similar so not critical
      • [USN-4962-1] Babel vulnerability [01:31]
      • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
        • CVE-2021-20095
        • Internationalisation handling for python apps
        • Directory traversal flaw - could be exploited to load arbitrary locale
          • .dat files - these contain serialized Python objects - so hence can get
          arbitrary code execution as a result.
        • Could use relative path to specify a file outside the locate-data
          • directory
          [USN-4964-1] Exiv2 vulnerabilities [02:25]
          • 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
            • CVE-2021-29623
            • CVE-2021-32617
            • CVE-2021-29473
            • CVE-2021-29464
            • CVE-2021-29463
            • CLI util and library (C++) for reading+modifying metadata in image
              • files - more exiv2 - last only in Episode 115
            • OOB reads on metadata write
            • heap buffer overflow on m w
            • quadratic complexity algorithm on metadata write - DoS
            • stack info leak on m r
              • [USN-4965-1, USN-4965-2] Apport vulnerabilities [03:19]
              • 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
                • CVE-2021-32557
                • CVE-2021-32556
                • CVE-2021-32555
                • CVE-2021-32554
                • CVE-2021-32553
                • CVE-2021-32552
                • CVE-2021-32551
                • CVE-2021-32550
                • CVE-2021-32549
                • CVE-2021-32548
                • CVE-2021-32547
                • Seems it’s time for more Apport vulns - every quarter or so
                • Arbitrary file read / write vulns discovered by Maik Münch
                • Apport parses various details out of /proc and some of these can be
                  • crafted by the process, ie process name, current working dir etc - and
                  then goes to gather files etc - and so if can craft these details can get
                  it to read files which weren’t intended via symlinks etc (mitigated by
                  symlink protections in Ubuntu) - or from injection of data into say dpkg
                  queries to get it to include other files like /etc/passwd since this
                  operation happens as root by apport
                • These end up in the crash dump and this can be read by the regular user
                • Also when uploading via whoopsie, race condition where crash dump can be
                  • replaced by a symlink and then the crash dump will be written to the dest
                  of the symlink - file write vuln - but again mitigated by
                  symlink-restriction
                  [USN-4966-1, USN-4966-2] libx11 vulnerability [05:57]
                  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
                    • CVE-2021-31535
                    • When looking up a color, failed to properly validate it - app could then
                      • get extra X protocol requests sent to the X server - ie. could then
                      disable X server authorisation etc so remote attackers could connect to
                      the local X server and snoop on inputs etc
                      Goings on in Ubuntu Security Community
                      #ubuntu-hardened -> #ubuntu-security on Libera.Chat [06:45]
                      • LWN writeup https://lwn.net/Articles/857140/
                      • Volunteer staff resigned en masse after network was taken over by tech
                        • entrepreneur
                      • Ubuntu IRC council voted and approved a resolution to recommend moving
                        • Ubuntu IRC channels from freenode to Libera.Chat
                      • Community Council approved this so now all channels have moved to
                        • Libera.Chat
                      • Almost all of the old channels on freenode have now all been taken over
                        • by the new freenode staff
                      • irc.ubuntu.com now redirects to irc.libera.chat
                      • Finally took the opportunity to rename our channel - #ubuntu-security
                      • Come join us
                        • Get in contact
                        • [email protected]
                        • #ubuntu-security on the Libera.Chat IRC network
                        • ubuntu-hardened mailing list
                        • Security section on discourse.ubuntu.com
                        • @ubuntu_sec on twitter
                          • ...more
                          View all episodesView all episodes
                          Download on the App Store
                          Ubuntu Security PodcastBy Ubuntu Security Team
                          • 4.8
                          • 4.8
                          • 4.8
                          • 4.8
                          • 4.8

                          4.8

                          10 ratings