June 02, 2023

Episode 197

23 minutes

Overview

The venerable Ubuntu 18.04 LTS release has transitioned into ESM, plus we look

at Till Kamppeter’s excellent guide on how to set up your GitHub projects to

receive private vulnerability reports, and we cover the week in security updates

including PostgreSQL, Jhead, the Linux kernel, Linux PTP, snapd and a whole lot

more.

This week in Ubuntu Security Updates

56 unique CVEs addressed

[USN-6104-1] PostgreSQL vulnerabilities (00:55)

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-2455

CVE-2023-2454

Two issues, both requiring to be an authenticated user. One in mishandling of

CREATE privileges - could then allow an auth user to execute arbitrary code as

a the bootstrap supervisor - the other in row security properties which could

allow to bypass policies and get read/write contrary to security policy.

[USN-6105-1] ca-certificates update (01:32)

Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

Updates to the latest upstream 2.60 release from Mozilla, adds a bunch of new

CAs plus removes some that had either expired or that were now not used

anymore

[USN-6106-1] calamares-settings-ubuntu vulnerability (02:08)

Affecting Jammy (22.04 LTS)

When installing Lubuntu, it would allow to create the first user with an empty

password. Lubuntu uses it’s own installer called Calamares - so this issue

only affects Lubuntu, not regular Ubuntu or other Ubuntu flavors.

[USN-6100-1] HTML::StripScripts vulnerability (02:58)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2023-24038

REDoS when parsing HTML with “certain style attributes”

[USN-6108-1] Jhead vulnerabilities (03:18)

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2022-41751

CVE-2021-34055

[USN-6098-1] Jhead vulnerabilities in last week’s episode

Code-exec - place OS commands into a JPEG filename and then using

jhead to rotate the file

Buffer overflow when writing Exif data

[USN-6110-1] Jhead vulnerabilities

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2021-28277

CVE-2021-28275

CVE-2021-3496

Stack buffer overflow, heap buffer overflow and OOB read - DoS / code exec

[USN-6113-1] Jhead vulnerability

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2018-6612

Heap buffer OOB read -> DoS

[USN-6054-2] Django vulnerability (04:17)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2023-31047

[USN-6054-1] Django vulnerability in Episode 194

[USN-6109-1, USN-6118-1] Linux kernel (Raspberry Pi + Oracle) vulnerabilities (04:29)

8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2023-1118

CVE-2023-32269

CVE-2023-2162

CVE-2023-1513

CVE-2023-1078

CVE-2023-1075

CVE-2023-0459

CVE-2022-3707

5.4 raspi + oracle on both 20.04 + 18.04

Most issues covered on previous episodes

[USN-6122-1] Linux kernel (OEM) vulnerabilities (04:49)

2 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-2612

CVE-2023-32233

6.1 OEM 22.04 LTS

Race condition in netfilter able to be triggered by a local user -> UAF

requires CAP_NET_ADMIN but can get this in an unprivileged user namespace ∴

can be triggered OOTB by an unpriv user on Ubuntu

PoC was published for this last week - caused a bunch of folks to get

anxious but since can be mitigated by disabling unprivileged user namespaces

perhaps it was not worth all the hype? Also kernel updates take a while to

prepare and test etc so it is not easy to just drop everything and crank a

new kernel - so in general this would only occur for remotely exploitable

issues

[USN-6123-1] Linux kernel (OEM) vulnerabilities (06:48)

5 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-26606

CVE-2023-2612

CVE-2023-1670

CVE-2023-30456

CVE-2023-32233

6.0 OEM

Netfilter issue above, plus mishandling of control registers in nested KVM

VMs - could allow an guest VM to crash the VM host

[USN-6124-1] Linux kernel (OEM) vulnerabilities (07:10)

6 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-2612

CVE-2023-1670

CVE-2022-4139

CVE-2022-3586

CVE-2023-30456

CVE-2023-32233

5.17 OEM

Mostly same issues as above

[USN-6097-1] Linux PTP vulnerability (07:20)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3570

Precision time protocol implementation - allows to synchronise time between

servers to sub-microsecond accuracy - more accurate than NTP - uses a

leader/follower architecture - leader would be synchronised with high accuracy

via say a GPS then distributes this to other machines via PTP

Failed to check length of received packet properly (but only for forwarded

packets) - results in a OOB R/W - so could either be an info leak or possible

RCE

[USN-6005-2] Sudo vulnerabilities (08:49)

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2023-28487

CVE-2023-28486

[USN-6005-1] Sudo vulnerabilities in Episode 193

[USN-6111-1] Flask vulnerability (09:02)

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-30861

Possibly sends a response intended for one client to a different client due to

mishandling of the Vary:Cookie header - requires the use of a caching proxy

and other conditions though so may not be a widespread issue

[USN-6112-1] Perl vulnerability (09:35)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2023-31484

Failed to properly validate TLS certs when using CPAN with <:Tiny> to

download modules over HTTPS - failed to set ssl_Verify - parameter to

<:Tiny>

Seems the upstream HTTP::Tiny dev’s thinks it would be discriminatory to

enable SSL verification by default as that would make applications etc that

use self-signed certs or community-driven CAs like CAcert.org fail - but this

seems pretty outdated since with Let’s Encrypt etc nowadays there is easy

access to trusted certs for anyone - and so this just does a disservice to all

applications that use <:Tiny> making them potentially insecure

out-of-the-box

Won’t be surprised to see other similar vulns in the future as a result of

this foot-gun

[USN-6114-1] nth-check vulnerability (11:32)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3803

Node.js module for parsing and compiling CSS nth-checks (used in CSS 3

nth-child() and nth-last-of-type() functions) - can pass it a string and it

will compile that to an optimised function for calling by other code

REDoS

[USN-6116-1] hawk vulnerability (12:11)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2022-29167

Node.js HTTP Holder-of-key authentication scheme - a HTTP authentication

scheme that is similar to the regular HTTP Digest scheme - developed by Mozilla

REDoS

[USN-6115-1] TeX Live vulnerability (12:47)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-32700

Shell command execution in luatex if run against an untrusted document since

could access the io stream used by the underlying lua engine and inject

contents into it which would then be executed

[USN-6119-1] OpenSSL vulnerabilities (13:20)

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-1255

CVE-2023-2650

CPU-based DoS when processing crafted ASN.1 object identifiers - requires to

have an object ID which itself is tens to hundreds of KBs - OpenSSL 3 has a

limit of 100KB on the peer cert chain which limits the ability to craft such

long IDs and have them be processed by OpenSSL

An aarch64 specific issue - AES-XTS decryption algorithm would possibly read

past the end of the input buffer -> OOB read -> possible DoS but only if the

ciphertext is a certain size relative to the block size

[USN-6120-1] SpiderMonkey vulnerabilities (14:25)

9 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-32215

CVE-2023-32211

CVE-2023-29550

CVE-2023-29548

CVE-2023-29536

CVE-2023-29535

CVE-2023-25751

CVE-2023-25739

CVE-2023-25735

mozjs 102.11 release - JS engine shipped in Firefox so has a lot of overlap

with CVEs in firefox etc.

thanks to the Jeremy Bicha on the Ubuntu Desktop team for preparing these

updates

[USN-6121-1] Nanopb vulnerabilities (14:45)

2 CVEs addressed in Focal (20.04 LTS)

CVE-2021-21401

CVE-2020-26243

Implementation of Protocol Buffers but with small code size - designed for embedded systems etc

Memory leak on parsing of crafted messages plus an invalid free() or realloc()

on crafted messages - both only really an issue if parsing untrusted content

[USN-6117-1] Apache Batik vulnerabilities (15:16)

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2022-42890

CVE-2022-41704

CVE-2022-40146

CVE-2022-38648

CVE-2022-38398

CVE-2020-11987

CVE-2019-17566

Java SVG library

4 different XSRF issues

1 SSRF issue on handling of URLs in Jar’s - could allow to access local files

on the server

2 different issues that could allow untrusted Java code embedded in an SVG to

be executed

[USN-6125-1] snapd vulnerability (15:48)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-1523

Very similar to a recent issue (CVE-2023-28100) in flatpak - seccomp sandbox failed to block

the TIOCLINUX ioctl() request - could allow a snap to inject contents into the

controlling terminal when run on a virtual console - this would then be

executed when the snap finished running -> code exec outside the snap sandbox

Now simply blocks TIOCLINUX as it already did for TIOCSTI in the past

Very similar to historic TIOCSTI CVEs such as CVE-2016-9016 in firejail,

CVE-2016-10124 in lxc, CVE-2017-5226 in bubblewrap, CVE-2019-10063 in flatpak

[USN-6126-1] libvirt vulnerabilities (17:44)

2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-2700

CVE-2022-0897

race condition within the nwfilter driver - allows a local unprivileged user

to race against the driver and corrupt the list of network filters and trigger

a crash in the libvirt daemon

memory leak when reading SR-IOV PCI device capabilities

Goings on in Ubuntu Security Community

Ubuntu 18.04 has now entered ESM (18:21)

https://www.omgubuntu.co.uk/2023/05/ubuntu-18-04-general-support-ends-enable-esm-to-stay-protected

OpenPrinting tutorial on handling security bugs via GitHub (19:40)

https://openprinting.github.io/OpenPrinting-News-May-2023/#handling-reported-security-bugs-with-github

Last week we talked about a vulnerability in the cups-filter package

Discusses the difficulty in handling security issues in open source projects,

where all the development is usually done in the open, how do you privately

report and collaborate on a security issue?

GitHub offers the ability to report security vulnerabilities privately

Not enabled by default since it requires some configuration on the part of the

maintainer to configure the templates etc that get sent out - also needs the

organisation that owns the repo to enable this as well

GitHub offer some great guidance on the best ways to do this

Usual workflow is to submit a report privately and then can create a temporary

private fork in which to develop the fix

Read Till’s blog post as that contains a great walk-through on how to enable

this

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

June 02, 2023

Episode 197

23 minutes

Overview

The venerable Ubuntu 18.04 LTS release has transitioned into ESM, plus we look

at Till Kamppeter’s excellent guide on how to set up your GitHub projects to

receive private vulnerability reports, and we cover the week in security updates

including PostgreSQL, Jhead, the Linux kernel, Linux PTP, snapd and a whole lot

more.

This week in Ubuntu Security Updates

56 unique CVEs addressed

[USN-6104-1] PostgreSQL vulnerabilities (00:55)

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-2455

CVE-2023-2454

Two issues, both requiring to be an authenticated user. One in mishandling of

CREATE privileges - could then allow an auth user to execute arbitrary code as

a the bootstrap supervisor - the other in row security properties which could

allow to bypass policies and get read/write contrary to security policy.

[USN-6105-1] ca-certificates update (01:32)

Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

Updates to the latest upstream 2.60 release from Mozilla, adds a bunch of new

CAs plus removes some that had either expired or that were now not used

anymore

[USN-6106-1] calamares-settings-ubuntu vulnerability (02:08)

Affecting Jammy (22.04 LTS)

When installing Lubuntu, it would allow to create the first user with an empty

password. Lubuntu uses it’s own installer called Calamares - so this issue

only affects Lubuntu, not regular Ubuntu or other Ubuntu flavors.

[USN-6100-1] HTML::StripScripts vulnerability (02:58)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2023-24038

REDoS when parsing HTML with “certain style attributes”

[USN-6108-1] Jhead vulnerabilities (03:18)

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2022-41751

CVE-2021-34055

[USN-6098-1] Jhead vulnerabilities in last week’s episode

Code-exec - place OS commands into a JPEG filename and then using

jhead to rotate the file

Buffer overflow when writing Exif data

[USN-6110-1] Jhead vulnerabilities

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2021-28277

CVE-2021-28275

CVE-2021-3496

Stack buffer overflow, heap buffer overflow and OOB read - DoS / code exec

[USN-6113-1] Jhead vulnerability

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2018-6612

Heap buffer OOB read -> DoS

[USN-6054-2] Django vulnerability (04:17)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2023-31047

[USN-6054-1] Django vulnerability in Episode 194

[USN-6109-1, USN-6118-1] Linux kernel (Raspberry Pi + Oracle) vulnerabilities (04:29)

8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2023-1118

CVE-2023-32269

CVE-2023-2162

CVE-2023-1513

CVE-2023-1078

CVE-2023-1075

CVE-2023-0459

CVE-2022-3707

5.4 raspi + oracle on both 20.04 + 18.04

Most issues covered on previous episodes

[USN-6122-1] Linux kernel (OEM) vulnerabilities (04:49)

2 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-2612

CVE-2023-32233

6.1 OEM 22.04 LTS

Race condition in netfilter able to be triggered by a local user -> UAF

requires CAP_NET_ADMIN but can get this in an unprivileged user namespace ∴

can be triggered OOTB by an unpriv user on Ubuntu

PoC was published for this last week - caused a bunch of folks to get

anxious but since can be mitigated by disabling unprivileged user namespaces

perhaps it was not worth all the hype? Also kernel updates take a while to

prepare and test etc so it is not easy to just drop everything and crank a

new kernel - so in general this would only occur for remotely exploitable

issues

[USN-6123-1] Linux kernel (OEM) vulnerabilities (06:48)

5 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-26606

CVE-2023-2612

CVE-2023-1670

CVE-2023-30456

CVE-2023-32233

6.0 OEM

Netfilter issue above, plus mishandling of control registers in nested KVM

VMs - could allow an guest VM to crash the VM host

[USN-6124-1] Linux kernel (OEM) vulnerabilities (07:10)

6 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-2612

CVE-2023-1670

CVE-2022-4139

CVE-2022-3586

CVE-2023-30456

CVE-2023-32233

5.17 OEM

Mostly same issues as above

[USN-6097-1] Linux PTP vulnerability (07:20)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3570

Precision time protocol implementation - allows to synchronise time between

servers to sub-microsecond accuracy - more accurate than NTP - uses a

leader/follower architecture - leader would be synchronised with high accuracy

via say a GPS then distributes this to other machines via PTP

Failed to check length of received packet properly (but only for forwarded

packets) - results in a OOB R/W - so could either be an info leak or possible

RCE

[USN-6005-2] Sudo vulnerabilities (08:49)

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2023-28487

CVE-2023-28486

[USN-6005-1] Sudo vulnerabilities in Episode 193

[USN-6111-1] Flask vulnerability (09:02)

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-30861

Possibly sends a response intended for one client to a different client due to

mishandling of the Vary:Cookie header - requires the use of a caching proxy

and other conditions though so may not be a widespread issue

[USN-6112-1] Perl vulnerability (09:35)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2023-31484

Failed to properly validate TLS certs when using CPAN with <:Tiny> to

download modules over HTTPS - failed to set ssl_Verify - parameter to

<:Tiny>

Seems the upstream HTTP::Tiny dev’s thinks it would be discriminatory to

enable SSL verification by default as that would make applications etc that

use self-signed certs or community-driven CAs like CAcert.org fail - but this

seems pretty outdated since with Let’s Encrypt etc nowadays there is easy

access to trusted certs for anyone - and so this just does a disservice to all

applications that use <:Tiny> making them potentially insecure

out-of-the-box

Won’t be surprised to see other similar vulns in the future as a result of

this foot-gun

[USN-6114-1] nth-check vulnerability (11:32)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3803

Node.js module for parsing and compiling CSS nth-checks (used in CSS 3

nth-child() and nth-last-of-type() functions) - can pass it a string and it

will compile that to an optimised function for calling by other code

REDoS

[USN-6116-1] hawk vulnerability (12:11)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2022-29167

Node.js HTTP Holder-of-key authentication scheme - a HTTP authentication

scheme that is similar to the regular HTTP Digest scheme - developed by Mozilla

REDoS

[USN-6115-1] TeX Live vulnerability (12:47)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-32700

Shell command execution in luatex if run against an untrusted document since

could access the io stream used by the underlying lua engine and inject

contents into it which would then be executed

[USN-6119-1] OpenSSL vulnerabilities (13:20)

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-1255

CVE-2023-2650

CPU-based DoS when processing crafted ASN.1 object identifiers - requires to

have an object ID which itself is tens to hundreds of KBs - OpenSSL 3 has a

limit of 100KB on the peer cert chain which limits the ability to craft such

long IDs and have them be processed by OpenSSL

An aarch64 specific issue - AES-XTS decryption algorithm would possibly read

past the end of the input buffer -> OOB read -> possible DoS but only if the

ciphertext is a certain size relative to the block size

[USN-6120-1] SpiderMonkey vulnerabilities (14:25)

9 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-32215

CVE-2023-32211

CVE-2023-29550

CVE-2023-29548

CVE-2023-29536

CVE-2023-29535

CVE-2023-25751

CVE-2023-25739

CVE-2023-25735

mozjs 102.11 release - JS engine shipped in Firefox so has a lot of overlap

with CVEs in firefox etc.

thanks to the Jeremy Bicha on the Ubuntu Desktop team for preparing these

updates

[USN-6121-1] Nanopb vulnerabilities (14:45)

2 CVEs addressed in Focal (20.04 LTS)

CVE-2021-21401

CVE-2020-26243

Implementation of Protocol Buffers but with small code size - designed for embedded systems etc

Memory leak on parsing of crafted messages plus an invalid free() or realloc()

on crafted messages - both only really an issue if parsing untrusted content

[USN-6117-1] Apache Batik vulnerabilities (15:16)

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2022-42890

CVE-2022-41704

CVE-2022-40146

CVE-2022-38648

CVE-2022-38398

CVE-2020-11987

CVE-2019-17566

Java SVG library

4 different XSRF issues

1 SSRF issue on handling of URLs in Jar’s - could allow to access local files

on the server

2 different issues that could allow untrusted Java code embedded in an SVG to

be executed

[USN-6125-1] snapd vulnerability (15:48)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-1523

Very similar to a recent issue (CVE-2023-28100) in flatpak - seccomp sandbox failed to block

the TIOCLINUX ioctl() request - could allow a snap to inject contents into the

controlling terminal when run on a virtual console - this would then be

executed when the snap finished running -> code exec outside the snap sandbox

Now simply blocks TIOCLINUX as it already did for TIOCSTI in the past

Very similar to historic TIOCSTI CVEs such as CVE-2016-9016 in firejail,

CVE-2016-10124 in lxc, CVE-2017-5226 in bubblewrap, CVE-2019-10063 in flatpak

[USN-6126-1] libvirt vulnerabilities (17:44)

2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-2700

CVE-2022-0897

race condition within the nwfilter driver - allows a local unprivileged user

to race against the driver and corrupt the list of network filters and trigger

a crash in the libvirt daemon

memory leak when reading SR-IOV PCI device capabilities

Goings on in Ubuntu Security Community

Ubuntu 18.04 has now entered ESM (18:21)

https://www.omgubuntu.co.uk/2023/05/ubuntu-18-04-general-support-ends-enable-esm-to-stay-protected

OpenPrinting tutorial on handling security bugs via GitHub (19:40)

https://openprinting.github.io/OpenPrinting-News-May-2023/#handling-reported-security-bugs-with-github

Last week we talked about a vulnerability in the cups-filter package

Discusses the difficulty in handling security issues in open source projects,

where all the development is usually done in the open, how do you privately

report and collaborate on a security issue?

GitHub offers the ability to report security vulnerabilities privately

Not enabled by default since it requires some configuration on the part of the

maintainer to configure the templates etc that get sent out - also needs the

organisation that owns the repo to enable this as well

GitHub offer some great guidance on the best ways to do this

Usual workflow is to submit a report privately and then can create a temporary

private fork in which to develop the fix

Read Till’s blog post as that contains a great walk-through on how to enable

this

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

Share Episode 197

Sign up to save your podcasts

Episode 197

Episode 197