Sign up to save your podcasts
Or
Share Episode 30
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 30
Overview
Fixes for 19 different vulnerabilities across MySQL, Dovecot, Memcached and others, plus we talk to Joe McManus about the recent iLnkP2P IoT hack and the compromise of DockerHub’s credentials database and more.
This week in Ubuntu Security Updates
19 unique CVEs addressed
[USN-3957-1] MySQL vulnerabilities
[USN-3958-1] GStreamer Base Plugins vulnerability
malicious server to gain remote code execution on the client - session id
can contain attributes separated by semi-colons - would assume when
encountering a semi-colon that this delimits the maximum size of the
session id - however the session id has a maximum size of 512 bytes -
would overflow by using the user-supplied session id length rather than
sticking to the maximum structure length - changed to only parse up to
the maximum size of the structure to ensure we then don’t overflow when
copying
[USN-3959-1] Evince vulnerability
return the pixel data from an embedded TIFF image - on failure would end
up rendering uninitialised memory rather than the TIFF image - fixed to
check return values and bail out on error
[USN-3960-1] WavPack vulnerability
declared but uninitialized value would be used - could cause a crash etc
since could be anything - fixed to initialise it to 0 and to check if
still zero before proceeding to process
[USN-3961-1] Dovecot vulnerabilities
client aborts authentication the serer could crash due to a NULL pointer
dereference, and if using TLS but send an invalid authentication message
could crash as well
[USN-3962-1] libpng vulnerability
png_safe_execute() - this is an internal function which itself calls
png_image_free() - so after freeing the image would free it a second time
in certain conditions - changed to just call the free function directly
rather than via png_safe_execute()
[USN-3963-1] Memcached vulnerability
insufficient checks when parsing input - commands require 4 input tokens
but only checked for 3 (off-by-one) - could allow an attacker with access
to the command interface to crash memcached
[USN-3953-2] PHP vulnerabilities
for the ESM releases - two bugs in EXIF tag handling
[USN-3964-1] python-gnupg vulnerabilities
when an attacker can control the passphrase to gnupg and the ciphertext
is assumed trusted - this uses the command-interface of gnupg and passes
the passphrase directly to it - along with the ciphertext - so if
attacker includes newlines in the supplied passphrase can then inject
their own ciphertext (or plaintext in the context of encryption) - fixed
to check passphrase does not contain line-feed or carriage return
characters
gnupg directly in the filename to be decrypted when using verbose output
mode - fixed by sanitising this filename first
Discussion with Joe McManus about another IoT compromise and DockerHub
Goings on in Ubuntu Security Community
Hiring
Robotics Security Engineer
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
Fixes for 19 different vulnerabilities across MySQL, Dovecot, Memcached and others, plus we talk to Joe McManus about the recent iLnkP2P IoT hack and the compromise of DockerHub’s credentials database and more.
This week in Ubuntu Security Updates
19 unique CVEs addressed
[USN-3957-1] MySQL vulnerabilities
[USN-3958-1] GStreamer Base Plugins vulnerability
malicious server to gain remote code execution on the client - session id
can contain attributes separated by semi-colons - would assume when
encountering a semi-colon that this delimits the maximum size of the
session id - however the session id has a maximum size of 512 bytes -
would overflow by using the user-supplied session id length rather than
sticking to the maximum structure length - changed to only parse up to
the maximum size of the structure to ensure we then don’t overflow when
copying
[USN-3959-1] Evince vulnerability
return the pixel data from an embedded TIFF image - on failure would end
up rendering uninitialised memory rather than the TIFF image - fixed to
check return values and bail out on error
[USN-3960-1] WavPack vulnerability
declared but uninitialized value would be used - could cause a crash etc
since could be anything - fixed to initialise it to 0 and to check if
still zero before proceeding to process
[USN-3961-1] Dovecot vulnerabilities
client aborts authentication the serer could crash due to a NULL pointer
dereference, and if using TLS but send an invalid authentication message
could crash as well
[USN-3962-1] libpng vulnerability
png_safe_execute() - this is an internal function which itself calls
png_image_free() - so after freeing the image would free it a second time
in certain conditions - changed to just call the free function directly
rather than via png_safe_execute()
[USN-3963-1] Memcached vulnerability
insufficient checks when parsing input - commands require 4 input tokens
but only checked for 3 (off-by-one) - could allow an attacker with access
to the command interface to crash memcached
[USN-3953-2] PHP vulnerabilities
for the ESM releases - two bugs in EXIF tag handling
[USN-3964-1] python-gnupg vulnerabilities
when an attacker can control the passphrase to gnupg and the ciphertext
is assumed trusted - this uses the command-interface of gnupg and passes
the passphrase directly to it - along with the ciphertext - so if
attacker includes newlines in the supplied passphrase can then inject
their own ciphertext (or plaintext in the context of encryption) - fixed
to check passphrase does not contain line-feed or carriage return
characters
gnupg directly in the filename to be decrypted when using verbose output
mode - fixed by sanitising this filename first
Discussion with Joe McManus about another IoT compromise and DockerHub
Goings on in Ubuntu Security Community
Hiring
Robotics Security Engineer
Get in contact