Overview
This week we cover security updates including Firefox, Thunderbird, OpenSSL and another Ghostscript regression, plus we look at a recent report from Capsule8 comparing Linux hardening features across various distributions and we answer some listener questions.
This week in Ubuntu Security Updates
[USN-3893-2] Bind vulnerabilities
2 CVEs addressed in Precise ESMCVE-2019-6465CVE-2018-5745Covered last week in Episode 21 for regular Ubuntu releases[USN-3866-3] Ghostscript regression
Affecting Trusty, Xenial, Bionic, CosmicMentioned last week brieflyPrevious update to Ghostscript introduced a regression (blue background)See later for information[USN-3894-1] GNOME Keyring vulnerability
1 CVEs addressed in Trusty, XenialCVE-2018-20781Already fixed upstream (hence doesn’t apply to Bionic / Cosmic etc)User’s login password kept in memory of child process after pam session is openedCould be dumped by root user or captured in crash dump etc and possibly exposedOther tools exist to try and extract from memory as well (minipenguin etc)Fix is to simply reset this after pam session is opened[USN-3895-1] LDB vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-3824LDAP-like embedded database (used by Samba and others)Authenticated user can cause OOB read when searching LDAP backend of AD DC with a search string containing multiple wildcards - crash -> DoS[USN-3896-1] Firefox vulnerabilities
3 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-5785CVE-2018-18511CVE-2018-18356Firefox 65Use-after-free and integer overflow in Skia library (vector graphics library, similar to cairo)Cross-origin image theft - able to read from canvas element in violation of same-origin policy using transferFromImageBitmap() method[USN-3897-1] Thunderbird vulnerabilities
7 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-18509CVE-2018-18505CVE-2018-18501CVE-2019-5785CVE-2018-18500CVE-2018-18356CVE-2016-5824Thunderbird 60.5.1Use-after-free and integer overflow in Skia library (vector graphics library, similar to cairo)Show messages with an invalid (reused) S/MIME signature as being verifiedUAF parsing HTML5 stream with custom HTML elementsUAF in embedded libical via a crafted ICS file[USN-3898-1, USN-3898-2] NSS vulnerability
1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, CosmicCVE-2018-18508Several NULL pointer dereferences -> crash -> DoS[USN-3899-1] OpenSSL vulnerability
1 CVEs addressed in Xenial, Bionic, CosmicCVE-2019-1559Possible padding oracle (an application which uses OpenSSL could behave differently based on whether a record contained valid padding or not)Attacker can learn plaintext by modifying ciphertext and observing different behaviour[USN-3900-1] GD vulnerabilities
2 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-6978CVE-2019-6977Double free if failed to properly extract image file - crash -> DoSHeap-based buffer overflow in color matching (able to be triggered by a specially crafted image) - crash -> DoS, possible code executionGoings on in Ubuntu Security Community
Comparison of Linux Hardening across distributions
https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/Analyses binaries from various Linux distributions looking for hardening features (OpenSUSE, Debian, CentOS, RHEL & Ubuntu)Compare kernel configuration vs KSPP recommendationsUbuntu 18.04 ranks highest, due to proactive hardening features baked into toolchain and newer kernel taking advantage of KSPP upstream featuresgcc is patched so anyone building on Ubuntu gets these featuresbuild.snapcraft.io toohowever is missing stack clash mitigationPlan to add more hardening features for 19.10 (stack clash and control-flow integrity support via gcc) and review kernel options cf. KSPPQ&A
Does numerous bugs and regressions in Ghostscript indicate it is reaching it’s EOL?
doc-E-brown via twitterLots of recent focus -> finds bugsghostscript codebase is old and gnarly and some fixes have been quite invasiveAny new code could introduce new bugs - particularly complicated fixes -> creates more bugs (regressions)(as doc-E-brown suggests, regressions indicate old code-base)Tavis (and others) seem to be looking elsewhere but likely still more bugs to be foundWould be great if GS could either be made safer or a safer alternative but no-one is stepping upSadly No good viable alternative currentlyHiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997Security Automation Engineer
https://boards.greenhouse.io/canonical/jobs/1548632Get in contact
#ubuntu-security on the Libera.Chat IRC network@ubuntu_sec on twitter
View all episodes
