Ubuntu Security Notice USN-3227-1

13th March, 2017

icu vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ICU.

Software description

• icu
  – International Components for Unicode library

Details

It was discovered that ICU incorrectly handled certain memory operations
when processing data. If an application using ICU processed crafted data,
a remote attacker could possibly cause it to crash or potentially execute
arbitrary code with the privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

libicu57

57.1-4ubuntu0.1

Ubuntu 16.04 LTS:

libicu55

55.1-7ubuntu0.1

Ubuntu 14.04 LTS:

libicu52

52.1-3ubuntu0.5

Ubuntu 12.04 LTS:

libicu48

4.8.1.1-3ubuntu0.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9911,

CVE-2015-4844,

CVE-2016-0494,

CVE-2016-6293,

CVE-2016-7415

Ubuntu Security Notice USN-3226-1

13th March, 2017

icoutils vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

icoutils could be made to crash or run programs as your login if it opened
a specially crafted file.

Software description

• icoutils
  – Create and extract MS Windows icons and cursors

Details

Jerzy Kramarz discovered that icoutils incorrectly handled memory when
processing certain files. If a user or automated system were tricked into
opening a specially crafted file, an attacker could cause icoutils to
crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

icoutils

0.29.1-2ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-6009,

CVE-2017-6010,

CVE-2017-6011

Ubuntu Security Notice USN-3230-1

13th March, 2017

pillow vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Pillow.

Software description

• pillow
  – Python Imaging Library

Details

It was discovered that Pillow incorrectly handled certain compressed text
chunks in PNG images. A remote attacker could possibly use this issue to
cause Pillow to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2014-9601)

Cris Neckar discovered that Pillow incorrectly handled certain malformed
images. A remote attacker could use this issue to cause Pillow to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2016-9189)

Cris Neckar discovered that Pillow incorrectly handled certain malformed
images. A remote attacker could use this issue to cause Pillow to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-9190)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

python-imaging

3.3.1-1ubuntu0.1

python3-pil

3.3.1-1ubuntu0.1

python-pil

3.3.1-1ubuntu0.1

Ubuntu 16.04 LTS:

python-imaging

3.1.2-0ubuntu1.1

python3-pil

3.1.2-0ubuntu1.1

python-pil

3.1.2-0ubuntu1.1

Ubuntu 14.04 LTS:

python-imaging

2.3.0-1ubuntu3.4

python3-pil

2.3.0-1ubuntu3.4

python-pil

2.3.0-1ubuntu3.4

python3-imaging

2.3.0-1ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9601,

CVE-2016-9189,

CVE-2016-9190

Ubuntu Security Notice USN-3229-1

13th March, 2017

python-imaging vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the Python Imaging Library.

Software description

• python-imaging
  – Python Imaging Library

Details

It was discovered that the Python Imaging Library incorrectly handled
certain compressed text chunks in PNG images. A remote attacker could
possibly use this issue to cause the Python Imaging Library to crash,
resulting in a denial of service. (CVE-2014-9601)

Cris Neckar discovered that the Python Imaging Library incorrectly handled
certain malformed images. A remote attacker could use this issue to cause
the Python Imaging Library to crash, resulting in a denial of service, or
possibly obtain sensitive information. (CVE-2016-9189)

Cris Neckar discovered that the Python Imaging Library incorrectly handled
certain malformed images. A remote attacker could use this issue to cause
the Python Imaging Library to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-9190)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

python-imaging

1.1.7-4ubuntu0.12.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9601,

CVE-2016-9189,

CVE-2016-9190

Ubuntu Security Notice USN-3224-1

9th March, 2017

lxc vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary

LXC could be made to create arbitrary virtual network interfaces as an
administrator.

Software description

• lxc
  – Linux Containers userspace tools

Details

Jann Horn discovered that LXC incorrectly verified permissions when creating
virtual network interfaces. A local attacker could possibly use this issue to
create virtual network interfaces in network namespaces that they do not own.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

lxc-common

2.0.7-0ubuntu1~16.10.2

Ubuntu 16.04 LTS:

lxc-common

2.0.7-0ubuntu1~16.04.2

Ubuntu 14.04 LTS:

lxc

1.0.9-0ubuntu3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-5985

Ubuntu Security Notice USN-3223-1

9th March, 2017

kde4libs vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

KDE-Libs could be made to expose sensitive information over the network.

Software description

• kde4libs
  – KDE 4 core applications and libraries

Details

Itzik Kotler, Yonatan Fridburg, and Amit Klein discovered that KDE-Libs
incorrectly handled certain PAC files. A remote attacker could possibly use
this issue to obtain sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

kdelibs5-plugins

4:4.13.3-0ubuntu0.4

Ubuntu 12.04 LTS:

kdelibs5-plugins

4:4.8.5-0ubuntu0.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-6410

Ubuntu Security Notice USN-3225-1

9th March, 2017

libarchive vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

libarchive could be made to crash, overwrite files, or run programs as your
login if it opened a specially crafted file.

Software description

• libarchive
  – Library to read/write archive files

Details

It was discovered that libarchive incorrectly handled hardlink entries when
extracting archives. A remote attacker could possibly use this issue to
overwrite arbitrary files. (CVE-2016-5418)

Christian Wressnegger, Alwin Maier, and Fabian Yamaguchi discovered that
libarchive incorrectly handled filename lengths when writing ISO9660
archives. A remote attacker could use this issue to cause libarchive to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and
Ubuntu 16.04 LTS. (CVE-2016-6250)

Alexander Cherepanov discovered that libarchive incorrectly handled
recursive decompressions. A remote attacker could possibly use this issue
to cause libarchive to hang, resulting in a denial of service. This issue
only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-7166)

It was discovered that libarchive incorrectly handled non-printable
multibyte characters in filenames. A remote attacker could possibly use
this issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2016-8687)

It was discovered that libarchive incorrectly handled line sizes when
extracting certain archives. A remote attacker could possibly use this
issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2016-8688)

It was discovered that libarchive incorrectly handled multiple EmptyStream
attributes when extracting certain 7zip archives. A remote attacker could
possibly use this issue to cause libarchive to crash, resulting in a denial
of service. (CVE-2016-8689)

Jakub Jirasek discovered that libarchive incorrectly handled memory when
extracting certain archives. A remote attacker could possibly use this
issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2017-5601)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

libarchive13

3.2.1-2ubuntu0.1

Ubuntu 16.04 LTS:

libarchive13

3.1.2-11ubuntu0.16.04.3

Ubuntu 14.04 LTS:

libarchive13

3.1.2-7ubuntu2.4

Ubuntu 12.04 LTS:

libarchive12

3.0.3-6ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5418,

CVE-2016-6250,

CVE-2016-7166,

CVE-2016-8687,

CVE-2016-8688,

CVE-2016-8689,

CVE-2017-5601

Ubuntu Security Notice USN-3220-3

8th March, 2017

linux-aws vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

• linux-aws
  – Linux kernel for Amazon Web Services (AWS) systems

Details

USN-3220-1 fixed a vulnerability in the Linux kernel. This update
provides the corresponding updates for the Linux kernel for Amazon
Web Services (AWS).

Alexander Popov discovered that the N_HDLC line discipline implementation
in the Linux kernel contained a double-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:

linux-image-4.4.0-1007-aws

4.4.0-1007.16

linux-image-aws

4.4.0.1007.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-2636

Ubuntu Security Notice USN-3222-1

8th March, 2017

imagemagick vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ImageMagick.

Software description

• imagemagick
  – Image manipulation programs and library

Details

It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu8.4

imagemagick

8:6.8.9.9-7ubuntu8.4

libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu8.4

imagemagick-6.q16

8:6.8.9.9-7ubuntu8.4

libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu8.4

Ubuntu 16.04 LTS:

libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu5.5

imagemagick

8:6.8.9.9-7ubuntu5.5

libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu5.5

imagemagick-6.q16

8:6.8.9.9-7ubuntu5.5

libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu5.5

Ubuntu 14.04 LTS:

libmagick++5

8:6.7.7.10-6ubuntu3.5

libmagickcore5-extra

8:6.7.7.10-6ubuntu3.5

libmagickcore5

8:6.7.7.10-6ubuntu3.5

imagemagick

8:6.7.7.10-6ubuntu3.5

Ubuntu 12.04 LTS:

libmagick++4

8:6.6.9.7-5ubuntu3.8

libmagickcore4

8:6.6.9.7-5ubuntu3.8

imagemagick

8:6.6.9.7-5ubuntu3.8

libmagickcore4-extra

8:6.6.9.7-5ubuntu3.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-10062,

CVE-2016-10144,

CVE-2016-10145,

CVE-2016-10146,

CVE-2016-8707,

CVE-2017-5506,

CVE-2017-5507,

CVE-2017-5508,

CVE-2017-5510,

CVE-2017-5511

Ubuntu Security Notice USN-3219-1

7th March, 2017

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

• linux
  – Linux kernel

Details

Alexander Popov discovered that the N_HDLC line discipline implementation
in the Linux kernel contained a double-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-powerpc-smp

3.13.0.112.120

linux-image-3.13.0-112-powerpc-e500

3.13.0-112.159

linux-image-3.13.0-112-powerpc-smp

3.13.0-112.159

linux-image-generic

3.13.0.112.120

linux-image-3.13.0-112-powerpc-e500mc

3.13.0-112.159

linux-image-powerpc-e500mc

3.13.0.112.120

linux-image-generic-lpae

3.13.0.112.120

linux-image-3.13.0-112-powerpc64-smp

3.13.0-112.159

linux-image-powerpc-e500

3.13.0.112.120

linux-image-3.13.0-112-generic-lpae

3.13.0-112.159

linux-image-3.13.0-112-lowlatency

3.13.0-112.159

linux-image-lowlatency

3.13.0.112.120

linux-image-3.13.0-112-generic

3.13.0-112.159

linux-image-3.13.0-112-powerpc64-emb

3.13.0-112.159

linux-image-powerpc64-emb

3.13.0.112.120

linux-image-powerpc64-smp

3.13.0.112.120

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-2636