Overview
Double episode covering the security updates from the last 2 weeks, including snapd (DirtySock), systemd and more, plus we talk responsible disclosure and some open positions on the Ubuntu Security team.
This week in Ubuntu Security Updates
[USN-3886-1] poppler vulnerabilities
2 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-7310CVE-2018-20551Two DoS:Out-of-bounds heap buffer read due to missing check for a negative index -> crash -> DoSCrash due to hitting an assertion -> DoS[USN-3888-1] GVfs vulnerability
1 CVEs addressed in Bionic, CosmicCVE-2019-3827Possible to allow a local user with admin privileges (eg. sudo group) to read arbitrary files without prompting for authorisation IF no policykit agents runningPolicykit agents run by default so would require user to be running a difffent DE or to have uninstalled / disabled themAlso low impact since user has authority anyway[USN-3889-1] WebKitGTK+ vulnerabilities
2 CVEs addressed in Bionic, CosmicCVE-2019-6215CVE-2019-6212Memory corruption and type confusion errors - leading to possible remote code execution[USN-3890-1] Django vulnerability
1 CVEs addressed in Xenial, Bionic, CosmicCVE-2019-6975Could cause Django to consume a large amount of memory when formatting a decimal number with a large number of digits or with a large exponent since it would simply print every single provided characterPossible DoS although would need a very large number to be inputFix is to format numbers with more than 200 characters in scientific notation[USN-3887-1] snapd vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-7304‘DirtySock’ - discovered by Chris MoberlyFailed to correctly parse and validate the remote socket addressCode had undergone refactoring and introduced this bugAllows to impersonate privileged user and therefore call privileged APIs via the snapd socket[USN-3850-2] NSS vulnerabilities
3 CVEs addressed in Precise ESMCVE-2018-12404CVE-2018-12384CVE-2018-0495Covered back in Episode 17[USN-3891-1] systemd vulnerability
1 CVEs addressed in Xenial, Bionic, CosmicCVE-2019-6454Discovered by Ubuntu Security team member Chris CoulsonStack buffer overflow of DBus path field - declared as VLA, but sender could use a value larger than the stack size and therefore jump the entire stack and the guard pagesSegmentation violation -> crash -> DoSsystemd does not automatically restart so brings down entire system - rebootPossible code execution but unlikelyDBus and systemd need to agree on what the maximum size of various elements are - DBus spec says path could be unlimited - but in practice is less than 32MB! (dbus-daemon limits messages to this size) - systemd now limits path to 64KB AND ensures it keeps running after receiving an invalid sized path[USN-3892-1] GDM vulnerability
1 CVEs addressed in Bionic, CosmicCVE-2019-3825Logic error in handing of timed logins (not enabled by default)If screen already locked, select to log in as different user - then select a user which has timed login enabled - after timeout will unlock screen of original userNeed administrator privileges to enabled timed login for a given user so low impact[USN-3866-2] Ghostscript regression
Affecting Trusty, Xenial, Bionic, CosmicPrevious update for Ghostscript (USN-3866-1 - Episode 18) caused a regression in printing 4"x6" (v9.26 - upstream bug)[USN-3893-1] Bind vulnerabilities
3 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-6465CVE-2018-5745CVE-2018-5744Fail to properly apply controls to zone transfers - could allow clients to request and receive a zone transfer to a dynamically loadable zone contrary to the allow-transfer ACLAssertion failure if a trust anchor’s keys are replaced with keys using an unsupported algorithm during a key rollover when using the managed-keys feature for DNSSEC validationRemotely triggerable memory leak when processing particular packets - DoSGoings on in Ubuntu Security Community
snapd, systemd and handling of embargoed issues
2 updates involving close communication between Ubuntu Security Team and external stakeholders - embargoedResponsible Disclosure - allows to coordinate a fix in a timely manner and then release update once all parties are ready in a coordinated mannerSet CRD with stakeholders (reporter, upstream, other distros etc)Coordinate fix with upstream and other distrosPlan coordinated updates to be released with other distros / upstream at CRDHiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997Security Automation Engineer
https://boards.greenhouse.io/canonical/jobs/1548632Get in contact
#ubuntu-security on the Libera.Chat IRC network@ubuntu_sec on twitter
View all episodes
