Ubuntu 6590 Published by

The following updates has been released for Ubuntu Linux:

USN-3710-1: curl vulnerability
USN-3711-1: ImageMagick vulnerabilities
USN-3712-1: libpng vulnerabilities
USN-3712-2: libpng vulnerability
USN-3713-1: CUPS vulnerabilities



USN-3710-1: curl vulnerability


==========================================================================
Ubuntu Security Notice USN-3710-1
July 11, 2018

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10

Summary:

curl could be made to crash or run programs if it received specially
crafted network traffic.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Peter Wu discovered that curl incorrectly handled certain SMTP buffers. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.2
libcurl3-gnutls 7.58.0-2ubuntu3.2
libcurl3-nss 7.58.0-2ubuntu3.2
libcurl4 7.58.0-2ubuntu3.2

Ubuntu 17.10:
curl 7.55.1-1ubuntu2.6
libcurl3 7.55.1-1ubuntu2.6
libcurl3-gnutls 7.55.1-1ubuntu2.6
libcurl3-nss 7.55.1-1ubuntu2.6

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3710-1
CVE-2018-0500

Package Information:
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.2
https://launchpad.net/ubuntu/+source/curl/7.55.1-1ubuntu2.6

USN-3711-1: ImageMagick vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3711-1
July 11, 2018

imagemagick vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in ImageMagick.

Software Description:
- imagemagick: Image manipulation programs and library

Details:

It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
imagemagick 8:6.9.7.4+dfsg-16ubuntu6.3
imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.3
libmagick++-6.q16-7 8:6.9.7.4+dfsg-16ubuntu6.3
libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.3
libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-16ubuntu6.3

Ubuntu 17.10:
imagemagick 8:6.9.7.4+dfsg-16ubuntu2.3
imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu2.3
libmagick++-6.q16-7 8:6.9.7.4+dfsg-16ubuntu2.3
libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu2.3
libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-16ubuntu2.3

Ubuntu 16.04 LTS:
imagemagick 8:6.8.9.9-7ubuntu5.12
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.12
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.12
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.12
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.12

Ubuntu 14.04 LTS:
imagemagick 8:6.7.7.10-6ubuntu3.12
libmagick++5 8:6.7.7.10-6ubuntu3.12
libmagickcore5 8:6.7.7.10-6ubuntu3.12
libmagickcore5-extra 8:6.7.7.10-6ubuntu3.12

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3711-1
CVE-2018-12599, CVE-2018-12600, CVE-2018-13153

Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu6.3
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu2.3
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.12
https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.12

USN-3712-1: libpng vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3712-1
July 11, 2018

libpng, libpng1.6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in libpng.

Software Description:
- libpng1.6: PNG library - development (version 1.6)
- libpng: PNG (Portable Network Graphics) file library

Details:

Patrick Keshishian discovered that libpng incorrectly handled certain
PNG files. An attacker could possibly use this to cause a denial of
service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
LTS. (CVE-2016-10087)

Thuan Pham discovered that libpng incorrectly handled certain PNG
files. An attacker could possibly use this to cause a denial of
service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS.
(CVE-2018-13785)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  libpng16-16 1.6.34-1ubuntu0.18.04.1

Ubuntu 17.10:
  libpng16-16 1.6.34-1ubuntu0.17.10.1

Ubuntu 16.04 LTS:
  libpng12-0 1.2.54-1ubuntu1.1

Ubuntu 14.04 LTS:
  libpng12-0 1.2.50-1ubuntu2.14.04.3

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3712-1
  CVE-2016-10087, CVE-2018-13785

Package Information:
  https://launchpad.net/ubuntu/+source/libpng1.6/1.6.34-1ubuntu0.18.04.1
  https://launchpad.net/ubuntu/+source/libpng1.6/1.6.34-1ubuntu0.17.10.1
  https://launchpad.net/ubuntu/+source/libpng/1.2.54-1ubuntu1.1
  https://launchpad.net/ubuntu/+source/libpng/1.2.50-1ubuntu2.14.04.3

USN-3712-2: libpng vulnerability


==========================================================================
Ubuntu Security Notice USN-3712-2
July 11, 2018

libpng vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

libpng could be made to crash if it received a specially crafted file.

Software Description:
- libpng: PNG (Portable Network Graphics) file library

Details:

USN-3712-1 fixed a vulnerability in libpng. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Patrick Keshishian discovered that libpng incorrectly handled certain
 PNG files. An attacker could possibly use this to cause a denial of
 service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  libpng12-0 1.2.46-3ubuntu4.3

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3712-2
  https://usn.ubuntu.com/usn/usn-3712-1
  CVE-2016-10087

USN-3713-1: CUPS vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3713-1
July 11, 2018

cups vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in CUPS.

Software Description:
- cups: Common UNIX Printing System(tm)

Details:

It was discovered that CUPS incorrectly handled certain print jobs with
invalid usernames. A remote attacker could possibly use this issue to cause
CUPS to crash, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2017-18248)

Dan Bastone discovered that the CUPS dnssd backend incorrectly handled
certain environment variables. A local attacker could possibly use this
issue to escalate privileges. (CVE-2018-4180)

Eric Rafaloff and John Dunlap discovered that CUPS incorrectly handled
certain include directives. A local attacker could possibly use this issue
to read arbitrary files. (CVE-2018-4181)

Dan Bastone discovered that the CUPS AppArmor profile incorrectly confined
the dnssd backend. A local attacker could possibly use this issue to escape
confinement. (CVE-2018-6553)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
cups 2.2.7-1ubuntu2.1

Ubuntu 17.10:
cups 2.2.4-7ubuntu3.1

Ubuntu 16.04 LTS:
cups 2.1.3-4ubuntu0.5

Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.10

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3713-1
CVE-2017-18248, CVE-2018-4180, CVE-2018-4181, CVE-2018-6553

Package Information:
https://launchpad.net/ubuntu/+source/cups/2.2.7-1ubuntu2.1
https://launchpad.net/ubuntu/+source/cups/2.2.4-7ubuntu3.1
https://launchpad.net/ubuntu/+source/cups/2.1.3-4ubuntu0.5
https://launchpad.net/ubuntu/+source/cups/1.7.2-0ubuntu1.10