Episode 104

Episode 104

Update: 2021-02-19
Share

Description

Overview


This week we take a look at a long-awaited update of Thunderbird in Ubuntu
20.04LTS, plus security updates for Open vSwitch, JUnit 4, PostSRSd, GNOME
Autoar and more.


This week in Ubuntu Security Updates


14 unique CVEs addressed


[USN-4729-1] Open vSwitch vulnerability [00:55 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Most convoluted CVE description: A vulnerability was found in
    openvswitch. A limitation in the implementation of userspace packet
    parsing can allow a malicious user to send a specially crafted packet
    causing the resulting megaflow in the kernel to be too wide, potentially
    causing a denial of service. The highest threat from this vulnerability
    is to system availability.


[USN-4731-1] JUnit 4 vulnerability [02:05 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Tests that used rule TemporaryFolder would use /tmp which is world
    accessible - so contents could be read by other users - so if tests were
    writing API keys or passwords these would be able to be read by others
    users -> info disclosure. Fixed to create temp directory with permissions
    so it is only readable by the owner.


[USN-4730-1] PostSRSd vulnerability [02:57 ]



  • 1 CVEs addressed in Bionic (18.04 LTS)


  • Postfix Sender Rewriter Scheme Daemon - Used for rewriting sender email
    addresses when forwarding emails from hosts that use SPF - rewrites the
    address to appear to come from your hosts address and allows you to do
    the inverse and appropriately handle and bounces etc by reverse-rewriting
    the sender address to recover the original address

  • Could cause a CPU based DoS by excessive processing if an email contained
    an exceedingly long SRS timestamp - fixed to just reject those which are
    past the expected regular size


[USN-4732-1] SQLite vulnerability [04:20 ]



  • 1 CVEs addressed in Groovy (20.10)


  • Only affected more recent releases of sqlite - could cause a crash on
    particular query constructs


[USN-4733-1] GNOME Autoar vulnerability [04:42 ]



  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Another archive extraction symlink traversal issue - gnome-autoar is a
    library used by nautilus and other gnome components when handling
    archives - ie right click an archive in nautilus and select “extract
    here”

  • If an archive contained a file whose parent was a symlink that pointed
    outside the destination directory, would blindly follow the symlink and
    overwrite arbitrary files - instead fixed to check if is a symlink with
    an absolute target OR one that points outside the destination folder via
    relative path and reject in that case


[USN-4734-1, USN-4734-2] wpa_supplicant and hostapd vulnerabilities [06:01 ]



  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Possible OOB write when doing a wifi-direct / p2p search - so an attacker
    just has to be in radio range when the victim performs a P2P discovery
    aka wifi direct search - discovered by Google’s OSS-Fuzz project

  • CallStranger (Episode 91) - UPnP callback reflection


[USN-4735-1] PostgreSQL vulnerability [07:23 ]



  • 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)


  • Latest upstream 12.6 release to fix a possible info leak which could
    occur when handling particular errors - if a user had the permission to
    UPDATE on a partitioned table but not the SELECT privilege on some column
    and tried to UPDATE on that column, the resulting error message
    concerning this constraint violation could leak values on the columns
    which the user did not have permission. Rare setup so unlikely to be
    affected in practice.


[USN-4736-1] Thunderbird vulnerabilities [08:18 ]



  • 6 CVEs addressed in Groovy (20.10)


  • Update to latest upstream release 78.7, usual spread of issues for TB
    (derived from firefox) - DoS, info leak, RCE. Also possible response
    injection attack from a person-in-the-middle during STARTTLS connection
    setup - ie could inject unencrypted response which would then be
    evaluated after the encrypted connection was setup so would get treated
    as coming from the trusted host.


Goings on in Ubuntu Security Community


Thunderbird to be upgraded to 78.x in Ubuntu 20.04 LTS [09:32 ]



  • Lead by oSoMoN (Olivier Tilloy) from Desktop Team

  • 68.x no longer supported upstream and not really practical to backport
    security fixes for this old codebase

  • 78.x as a new major version introduces a bunch of breaking changes, in
    particular with handling of PGP - previously TB had no native support for
    PGP but Enigmail addon provided this

  • Now does support PGP itself and enigmail is not supported anymore - new
    internal PGP is a bit different and requires migration - this should be
    handled automatically by the new version to migrate existing enigmail
    users across

  • A couple other packages tinyjsd and junit are also not supported by TB 78

    • tinyjsd - JS debugger with a particular focus on being able to debug TB
      extensions etc

    • jsunit - unit testing tool for TB to allow add-on developers to setup
      unit tests for their extensions and to run these in TB/FF etc

    • these will be replaced by empty packages in the Ubuntu archive for
      20.04



  • Once this is done will then look to do Bionic (18.04 LTS) as well

  • https://discourse.ubuntu.com/t/thunderbird-lts-update/20819


Get in contact


Comments 
In Channel
Episode 114

Episode 114

2021-05-0612:44

Episode 113

Episode 113

2021-04-3016:28

Episode 112

Episode 112

2021-04-1614:37

Episode 111

Episode 111

2021-04-0812:10

Episode 110

Episode 110

2021-04-0113:57

Episode 109

Episode 109

2021-03-2608:16

Episode 108

Episode 108

2021-03-1911:48

Episode 107

Episode 107

2021-03-1212:04

Episode 106

Episode 106

2021-03-0414:00

Episode 105

Episode 105

2021-02-2517:03

Episode 104

Episode 104

2021-02-1914:18

Episode 103

Episode 103

2021-02-1213:14

Episode 102

Episode 102

2021-02-0512:26

Episode 101

Episode 101

2021-01-2827:25

Episode 100

Episode 100

2020-12-1117:46

Episode 99

Episode 99

2020-12-0418:35

Episode 98

Episode 98

2020-11-2713:54

Episode 97

Episode 97

2020-11-2115:11

Episode 96

Episode 96

2020-11-1307:41

Episode 95

Episode 95

2020-11-0610:26

loading
Download from Google Play
Download from App Store
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Episode 104

Episode 104

Ubuntu Security Team