Ubuntu alert USN-6161-2 (dotnet6, dotnet7)

From:
             
 
Ian Constantin <ian.constantin@canonical.com>
To:
             
 
ubuntu-security-announce@lists.ubuntu.com
Subject:
             
 
[USN-6161-2] .NET regression
Date:
             
 
Fri, 23 Jun 2023 16:09:11 +0300
Message-ID:
             
 
<b6c682c2-b623-4a1d-4cee-8615d4edfc2b@canonical.com>
==========================================================================
Ubuntu Security Notice USN-6161-2
June 23, 2023

dotnet6, dotnet7 regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS

Summary:

USN 6161-1 introduced a regression in .NET that could incorrectly
cause X.509 certificate imports to fail when they should succeed.

Software Description:
- dotnet6: dotNET CLI tools and runtime
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6161-1 fixed vulnerabilities in .NET. The update introduced
a regression with regards to how the runtime imported X.509
certificates. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

  It was discovered that .NET did not properly enforce certain
  restrictions when deserializing a DataSet or DataTable from
  XML. An attacker could possibly use this issue to elevate their
  privileges. (CVE-2023-24936)

  Kevin Jones discovered that .NET did not properly handle the
  AIA fetching process for X.509 client certificates. An attacker
  could possibly use this issue to cause a denial of service.
  (CVE-2023-29331)

  Kalle Niemitalo discovered that the .NET package manager,
  NuGet, was susceptible to a potential race condition. An
  attacker could possibly use this issue to perform remote
  code execution. (CVE-2023-29337)

  Tom Deseyn discovered that .NET did not properly process certain
  arguments when extracting the contents of a tar file. An attacker
  could possibly use this issue to elevate their privileges. This
  issue only affected the dotnet7 package. (CVE-2023-32032)

  It was discovered that .NET did not properly handle memory in
  certain circumstances. An attacker could possibly use this issue
  to cause a denial of service or perform remote code execution.
  (CVE-2023-33128)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~23.04.1
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~23.04.1
    dotnet-host                            6.0.118-0ubuntu1~23.04.1
    dotnet-host-7.0                      7.0.107-0ubuntu1~23.04.1
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~23.04.1
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~23.04.1
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~23.04.1
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~23.04.1
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~23.04.1
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~23.04.1
    dotnet6 6.0.118-0ubuntu1~23.04.1
    dotnet7 7.0.107-0ubuntu1~23.04.1

Ubuntu 22.10:
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~22.10.1
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~22.10.1
    dotnet-host 6.0.118-0ubuntu1~22.10.1
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.10.1
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.10.1
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.10.1
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.10.1
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.10.1
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.10.1
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.10.1
    dotnet6 6.0.118-0ubuntu1~22.10.1
    dotnet7 7.0.107-0ubuntu1~22.10.1

Ubuntu 22.04 LTS:
    aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.04.1
    aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.04.1
    dotnet-host 6.0.118-0ubuntu1~22.04.1
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.04.1
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.04.1
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.04.1
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.04.1
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.04.1
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.04.1
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.04.1
    dotnet6 6.0.118-0ubuntu1~22.04.1
    dotnet7 7.0.107-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6161-2
https://ubuntu.com/security/notices/USN-6161-1
https://launchpad.net/bugs/2024893, https://launchpad.net/bugs/2024894

Package Information:
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubu...
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubu...
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubu...
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubu...
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubu...
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubu...