Ubuntu 6614 Published by

The following updates has been released for Ubuntu Linux:

USN-3913-1: P7ZIP vulnerabilities
USN-3915-1: Ghostscript vulnerabilities
USN-3917-1: snapd vulnerability
USN-3918-1: Firefox vulnerabilities



USN-3913-1: P7ZIP vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3913-1
March 21, 2019

p7zip vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

p7zip could be made to crash or run programs as your login if it
opened a specially crafted file.

Software Description:
- p7zip: 7z file archiver with high compression ratio

Details:

It was discovered that p7zip did not correctly handle certain malformed
archives. If a user or automated system were tricked into processing a specially
crafted archive with p7zip, then p7zip could be made to crash, possibly leading
to abitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
p7zip 9.20.1~dfsg.1-4.2ubuntu0.1
p7zip-full 9.20.1~dfsg.1-4.2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3913-1
CVE-2016-2335, CVE-2017-17969

Package Information:
https://launchpad.net/ubuntu/+source/p7zip/9.20.1~dfsg.1-4.2ubuntu0.1

USN-3915-1: Ghostscript vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3915-1
March 21, 2019

ghostscript vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Ghostscript.

Software Description:
- ghostscript: PostScript and PDF interpreter

Details:

It was discovered that Ghostscript incorrectly handled certain PostScript
files. If a user or automated system were tricked into processing a
specially crafted file, a remote attacker could possibly use this issue to
access arbitrary files, execute arbitrary code, or cause a denial of
service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
ghostscript 9.26~dfsg+0-0ubuntu0.18.10.8
libgs9 9.26~dfsg+0-0ubuntu0.18.10.8

Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.8
libgs9 9.26~dfsg+0-0ubuntu0.18.04.8

Ubuntu 16.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.8
libgs9 9.26~dfsg+0-0ubuntu0.16.04.8

Ubuntu 14.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.14.04.8
libgs9 9.26~dfsg+0-0ubuntu0.14.04.8

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3915-1
CVE-2019-3835, CVE-2019-3838

Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.10.8
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.8
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.8
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.14.04.8

USN-3917-1: snapd vulnerability


=========================================================================
Ubuntu Security Notice USN-3917-1
March 21, 2019

snapd vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

An intended access restriction in snapd could be bypassed by strict mode
snaps on 64 bit architectures.

Software Description:
- snapd: Daemon and tooling that enable snap packages

Details:

The snapd default seccomp filter for strict mode snaps blocks the use of
the ioctl() system call when used with TIOCSTI as the second argument to
the system call. Jann Horn discovered that this restriction could be
circumvented on 64 bit architectures. A malicious snap could exploit this
to bypass intended access restrictions to insert characters into the
terminal's input queue. On Ubuntu, snapd typically will have already
automatically refreshed itself to snapd 2.37.4 which is unaffected.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
snapd 2.37.4+18.10.1

Ubuntu 18.04 LTS:
snapd 2.37.4+18.04.1

Ubuntu 16.04 LTS:
snapd 2.37.4ubuntu0.1

Ubuntu 14.04 LTS:
snapd 2.37.4~14.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3917-1
CVE-2019-7303, https://launchpad.net/bugs/1812973

Package Information:
https://launchpad.net/ubuntu/+source/snapd/2.37.4+18.10.1
https://launchpad.net/ubuntu/+source/snapd/2.37.4+18.04.1
https://launchpad.net/ubuntu/+source/snapd/2.37.4ubuntu0.1
https://launchpad.net/ubuntu/+source/snapd/2.37.4~14.04.1

USN-3918-1: Firefox vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3918-1
March 21, 2019

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, denial of service via successive FTP authorization prompts or modal
alerts, trick the user with confusing permission request prompts, obtain
sensitive information, conduct social engineering attacks, or execute
arbitrary code. (CVE-2019-9788, CVE-2019-9789, CVE-2019-9790,
CVE-2019-9791, CVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9797,
CVE-2019-9799, CVE-2019-9802, CVE-2019-9805, CVE-2019-9806, CVE-2019-9807,
CVE-2019-9808, CVE-2019-9809)

A mechanism was discovered that removes some bounds checking for string,
array, or typed array accesses if Spectre mitigations have been disabled.
If a user were tricked in to opening a specially crafted website with
Spectre mitigations disabled, an attacker could potentially exploit this
to cause a denial of service, or execute arbitrary code. (CVE-2019-9793)

It was discovered that Upgrade-Insecure-Requests was incorrectly enforced
for same-origin navigation. An attacker could potentially exploit this to
conduct man-in-the-middle (MITM) attacks. (CVE-2019-9803)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  firefox 66.0+build3-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
  firefox 66.0+build3-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
  firefox 66.0+build3-0ubuntu0.16.04.2

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3918-1
  CVE-2019-9788, CVE-2019-9789, CVE-2019-9790, CVE-2019-9791,
  CVE-2019-9792, CVE-2019-9793, CVE-2019-9795, CVE-2019-9796,
  CVE-2019-9797, CVE-2019-9799, CVE-2019-9802, CVE-2019-9803,
  CVE-2019-9805, CVE-2019-9806, CVE-2019-9807, CVE-2019-9808,
  CVE-2019-9809

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/66.0+build3-0ubuntu0.18.10.1
  https://launchpad.net/ubuntu/+source/firefox/66.0+build3-0ubuntu0.18.04.1
  https://launchpad.net/ubuntu/+source/firefox/66.0+build3-0ubuntu0.16.04.2