Episode 107

Episode 107

Update: 2021-03-12
Share

Description

Overview


This week we check on the status of the pending GRUB2 Secure Boot updates
and detail some open positions within the team, plus we look at security
updates for GLib, zstd, Go, Git and more.


This week in Ubuntu Security Updates


7 unique CVEs addressed


[USN-4757-2] wpa_supplicant and hostapd vulnerability [00:45 ]



[USN-4733-2] GNOME Autoar regression [01:23 ]



  • Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

  • Episode 104 - upstream patch caused a regression such that folders within
    the archive may fail to be extracted - once noticed and fixed by upstream
    we have now included this too


[USN-4759-1] GLib vulnerabilities [02:06 ]



  • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Possible integer overflow when allocation memory due to implicit cast
    from a 64-bit long to a 32-bit int when allocating memory - g_memdup()
    function takes an 32-bit int argument but is called by g_bytes_new()
    which takes a gsize 64-bit argument. Ends up allocating much less memory
    than expected, then later when this is copied into a buffer overflow can
    occur.

  • Since g_memdup() is a public API, can’t just change it to take a gsize as
    argument since this would break the ABI - so instead added g_memdup2()
    and converted internal callers to use this - but other applications
    should think about porting to this new API to avoid this sort of issue
    (and audit their own code to check they don’t have similar implicit
    integer overflow issues)


[USN-4760-1] libzstd vulnerabilities [04:44 ]



  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Files created with default permissions - so was patched to chmod() so
    only owner could read/write them

  • But this introduced a race condition where the file initially still has
    the default permissions so a different user could potentially access it
    during that time until the chmod() call is made - so was deemed an
    incomplete fix for the first CVE - second CVE allocated for this
    incomplete fix - instead changed to set umask() before creating the file
    in the first place so permissions get set properly at creation


[USN-4758-1] Go vulnerability [05:41 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Possible XSS issue in CGI and FastCGI impl since go would treat non-HTML
    data as HTML and so would return a text/html content-type which would
    then be served as such by the webserver even if it had been uploaded with
    a different content type

  • Thanks to Dariusz Gadomski from SEG team for preparing these fixes (since
    these versions of golang are in universe on these Ubuntu releases)


[USN-4761-1] Git vulnerability [06:59 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Possible code execution by local git client when cloning a malicious
    remote repository - local client would need a git filter to be
    installed - like git LFS - and would have to be on a case-insensitive
    file-system - so would be a more common scenario for Windows users but
    unlikely to affect Linux users - patched anyway


Goings on in Ubuntu Security Community


GRUB2 updates still in progress [08:54 ]



  • Still being tested internally by our hardware certification lab and
    others and some minor tweaks being made, plus shim devel work is still
    ongoing, thanks to Dimitri John Ledkov from Foundations team for handling
    that work, as well as all the one-grub work too


Hiring [09:53 ]


AppArmor Security Engineer



Ubuntu Security Engineer



Security Engineer - Ubuntu



Get in contact


Comments 
In Channel
Episode 115

Episode 115

2021-05-1412:44

Episode 114

Episode 114

2021-05-0612:44

Episode 113

Episode 113

2021-04-3016:28

Episode 112

Episode 112

2021-04-1614:37

Episode 111

Episode 111

2021-04-0812:10

Episode 110

Episode 110

2021-04-0113:57

Episode 109

Episode 109

2021-03-2608:16

Episode 108

Episode 108

2021-03-1911:48

Episode 107

Episode 107

2021-03-1212:04

Episode 106

Episode 106

2021-03-0414:00

Episode 105

Episode 105

2021-02-2517:03

Episode 104

Episode 104

2021-02-1914:18

Episode 103

Episode 103

2021-02-1213:14

Episode 102

Episode 102

2021-02-0512:26

Episode 101

Episode 101

2021-01-2827:25

Episode 100

Episode 100

2020-12-1117:46

Episode 99

Episode 99

2020-12-0418:35

Episode 98

Episode 98

2020-11-2713:54

Episode 97

Episode 97

2020-11-2115:11

Episode 96

Episode 96

2020-11-1307:41

loading
Download from Google Play
Download from App Store
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Episode 107

Episode 107

Ubuntu Security Team