March 25, 2019

Episode 25

14 minutes

Overview

Ghostscript is back to haunt us for another week, plus we look at vulnerabilities in ntfs-3g, snapd, firefox and more.

This week in Ubuntu Security Updates

39 unique CVEs addressed

[USN-3911-1] file vulnerabilities

4 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-8907

CVE-2019-8906

CVE-2019-8905

CVE-2019-8904

4 DoS (crash) found via fuzzing:

Stack overflow in readelf

2 different OOB read due to failure to NULL terminate a string before processing it

Read past end of stack due to failing to properly keep track of buffer sizes

[USN-3906-2] LibTIFF vulnerabilities

8 CVEs addressed in Precise ESM

CVE-2019-7663

CVE-2019-6128

CVE-2018-18557

CVE-2018-17101

CVE-2018-17100

CVE-2018-1710

CVE-2018-12900

CVE-2018-10779

Covered in Episode 18 and Episode 24 for standard Ubuntu releases (not

all CVEs covered in those updates applicable to Precise ESM)

[USN-3912-1] GDK-PixBuf vulnerability

1 CVEs addressed in Xenial

CVE-2017-12447

Failure to properly validate BMP image palette parameters - leading to

OOB when decoding colormap later on

[USN-3914-1] NTFS-3G vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-9755

Discovered recently by Chris Coulson during code-audit of ntfs-3g -

actually had been fixed upstream late last year but no CVE assigned

Heap buffer overflow able to be triggered when mounting a filesystem

onto a mount point with path name greater than PATH_MAX, and from a

current working directory which has a path name also greater than

PATH_MAX

Contents of buffers is attacker controlled so heap can be overflown

with attacker controlled input - likely to leverage into arbitrary

code execution

Contrived example BUT in Debian and Ubuntu ntfs-3g is setuid root -

which then leads to root privilege escalation with arbitrary code

execution

Update was released within hours of the bug being made public to fix

the heap buffer overflow

Currently testing ntfs-3g as not-setuid root to release in a future

update to avoid any other possible privilege escalation bugs in the

future

[USN-3915-1] Ghostscript vulnerabilities

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-3838

CVE-2019-3835

Similar to previous CVE, forceput operator could be extracted from the

DefineResource method to allow access to the file-system outside of

the -dSAFER sandbox

superexec operator was available in the internal dictionary - also

able to be extracted and hence used to access files outside the

sandbox

[USN-3913-1] P7ZIP vulnerabilities

2 CVEs addressed in Xenial

CVE-2017-17969

CVE-2016-2335

Heap based OOB write when decompressing a crafted ZIP file (crash -> DoS, possible code execution)

Heap based OOB read when decompressing a UDF file (universal disk format - used for DVD images) - crash, DoS

[USN-3918-1] Firefox vulnerabilities

17 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-9803

CVE-2019-9793

CVE-2019-9809

CVE-2019-9808

CVE-2019-9807

CVE-2019-9806

CVE-2019-9805

CVE-2019-9802

CVE-2019-9799

CVE-2019-9797

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9789

CVE-2019-9788

Almost latest Firefox release (this is 66, 66.0.1 was released Friday after Pwn2Own

last week so expect another Firefox update today or tomorrow)

Multiple memory safety issues fixed, possible code execution as a result

3 issues in FTP modal dialogs allow to either DoS user via

successive dialogs, or conduct social engineering attacks against

the user

Possible information leak from parent to child process via IPC channels

Various UAFs, type-confusion etc -> memory corruption -> possible code execution

Incorrect bounds checking on JS objects IF Spectre mitigations

disabled (these are enabled by default so user would have to

explicitly disable them)

and more…

[USN-3917-1] snapd vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-7303

Jann Horn reported the seccomp blacklist for TIOCSTI can be bypassed

snapd creates a seccomp filter for each snap which is designed to

block TIOCSTI (as this can be used to fake input to other processes

outside of the sandbox)

This is a 32-bit value to the ioctl system call, but on 64-bit

architectures the kernel does this comparison as a 64-bit integer - so

can be circumvented by using a 64-bit value to ioctl systemcall which

has other bits set in the upper 32 bits - since when seccomp does

comparison it uses the full 64 bits - so it won’t match the 32-bit

value of TIOCSTI and so will be allowed - but then when used as the

ioctl() argument it will correctly be truncated to 32-bits and the

ioctl will proceed

Fixed in snapd to add a second seccomp filter to disallow anything in

the upper 32-bits

Initially seemed like a kernel or libseccomp issue but both currently

document this as a limitation already so treated in the end as a

vulnerability in snapd

[USN-3916-1] libsolv vulnerabilities

3 CVEs addressed in Cosmic

CVE-2018-20534

CVE-2018-20533

CVE-2018-20532

Dependency solver used by packaging systems to resolve dependencies

between packages etc

2 NULL pointer dereferences and 1 invalid memory read due to

mishandling of variable length function arguments - all crash -> DoS

Goings on in Ubuntu Security Community

Hiring

Ubuntu Security Generalist

https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

March 25, 2019

Episode 25

14 minutes

Overview

Ghostscript is back to haunt us for another week, plus we look at vulnerabilities in ntfs-3g, snapd, firefox and more.

This week in Ubuntu Security Updates

39 unique CVEs addressed

[USN-3911-1] file vulnerabilities

4 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-8907

CVE-2019-8906

CVE-2019-8905

CVE-2019-8904

4 DoS (crash) found via fuzzing:

Stack overflow in readelf

2 different OOB read due to failure to NULL terminate a string before processing it

Read past end of stack due to failing to properly keep track of buffer sizes

[USN-3906-2] LibTIFF vulnerabilities

8 CVEs addressed in Precise ESM

CVE-2019-7663

CVE-2019-6128

CVE-2018-18557

CVE-2018-17101

CVE-2018-17100

CVE-2018-1710

CVE-2018-12900

CVE-2018-10779

Covered in Episode 18 and Episode 24 for standard Ubuntu releases (not

all CVEs covered in those updates applicable to Precise ESM)

[USN-3912-1] GDK-PixBuf vulnerability

1 CVEs addressed in Xenial

CVE-2017-12447

Failure to properly validate BMP image palette parameters - leading to

OOB when decoding colormap later on

[USN-3914-1] NTFS-3G vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-9755

Discovered recently by Chris Coulson during code-audit of ntfs-3g -

actually had been fixed upstream late last year but no CVE assigned

Heap buffer overflow able to be triggered when mounting a filesystem

onto a mount point with path name greater than PATH_MAX, and from a

current working directory which has a path name also greater than

PATH_MAX

Contents of buffers is attacker controlled so heap can be overflown

with attacker controlled input - likely to leverage into arbitrary

code execution

Contrived example BUT in Debian and Ubuntu ntfs-3g is setuid root -

which then leads to root privilege escalation with arbitrary code

execution

Update was released within hours of the bug being made public to fix

the heap buffer overflow

Currently testing ntfs-3g as not-setuid root to release in a future

update to avoid any other possible privilege escalation bugs in the

future

[USN-3915-1] Ghostscript vulnerabilities

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-3838

CVE-2019-3835

Similar to previous CVE, forceput operator could be extracted from the

DefineResource method to allow access to the file-system outside of

the -dSAFER sandbox

superexec operator was available in the internal dictionary - also

able to be extracted and hence used to access files outside the

sandbox

[USN-3913-1] P7ZIP vulnerabilities

2 CVEs addressed in Xenial

CVE-2017-17969

CVE-2016-2335

Heap based OOB write when decompressing a crafted ZIP file (crash -> DoS, possible code execution)

Heap based OOB read when decompressing a UDF file (universal disk format - used for DVD images) - crash, DoS

[USN-3918-1] Firefox vulnerabilities

17 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-9803

CVE-2019-9793

CVE-2019-9809

CVE-2019-9808

CVE-2019-9807

CVE-2019-9806

CVE-2019-9805

CVE-2019-9802

CVE-2019-9799

CVE-2019-9797

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9789

CVE-2019-9788

Almost latest Firefox release (this is 66, 66.0.1 was released Friday after Pwn2Own

last week so expect another Firefox update today or tomorrow)

Multiple memory safety issues fixed, possible code execution as a result

3 issues in FTP modal dialogs allow to either DoS user via

successive dialogs, or conduct social engineering attacks against

the user

Possible information leak from parent to child process via IPC channels

Various UAFs, type-confusion etc -> memory corruption -> possible code execution

Incorrect bounds checking on JS objects IF Spectre mitigations

disabled (these are enabled by default so user would have to

explicitly disable them)

and more…

[USN-3917-1] snapd vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-7303

Jann Horn reported the seccomp blacklist for TIOCSTI can be bypassed

snapd creates a seccomp filter for each snap which is designed to

block TIOCSTI (as this can be used to fake input to other processes

outside of the sandbox)

This is a 32-bit value to the ioctl system call, but on 64-bit

architectures the kernel does this comparison as a 64-bit integer - so

can be circumvented by using a 64-bit value to ioctl systemcall which

has other bits set in the upper 32 bits - since when seccomp does

comparison it uses the full 64 bits - so it won’t match the 32-bit

value of TIOCSTI and so will be allowed - but then when used as the

ioctl() argument it will correctly be truncated to 32-bits and the

ioctl will proceed

Fixed in snapd to add a second seccomp filter to disallow anything in

the upper 32-bits

Initially seemed like a kernel or libseccomp issue but both currently

document this as a limitation already so treated in the end as a

vulnerability in snapd

[USN-3916-1] libsolv vulnerabilities

3 CVEs addressed in Cosmic

CVE-2018-20534

CVE-2018-20533

CVE-2018-20532

Dependency solver used by packaging systems to resolve dependencies

between packages etc

2 NULL pointer dereferences and 1 invalid memory read due to

mishandling of variable length function arguments - all crash -> DoS

Goings on in Ubuntu Security Community

Hiring

Ubuntu Security Generalist

https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

Share Episode 25

Sign up to save your podcasts

Episode 25

Episode 25