Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 438
Alerts This Week
Warning Icon 1 438

RedHat 7 moderate: RHSA-2018-3140 GNOME software security fix

red hat
Calendar Grey October 30, 2018
Dist Redhat Esm H88
Red Hat updates include moderate security fixes for GNOME software, crucial for stability and integrity.

An update is now available for Red Hat Enterprise Linux 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

GDM must be restarted for this update to take effect. The X server must be restarted (log out, then log back in) for this update to take effect. The GNOME session must be restarted (log out, then log back in) for this update to take effect. All running instances of Evolution must be restarted for this update to take effect.

Summary

GNOME is the default desktop environment of Red Hat Enterprise Linux.
Security Fix(es):
* libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames (CVE-2018-12910)
* poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph() function allows denial of service (CVE-2017-18267)
* libgxps: heap based buffer over read in ft_font_face_hash function of gxps-fonts.c (CVE-2018-10733)
* libgxps: Stack-based buffer overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c (CVE-2018-10767)
* poppler: NULL pointer dereference in Annot.h:AnnotPath::getCoordsLength() allows for denial of service via crafted PDF (CVE-2018-10768)
* poppler: out of bounds read in pdfunite (CVE-2018-13988)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank chenyuan (NESA Lab) for reporting CVE-2018-10733 and CVE-2018-10767 and Hosein Askari for reporting CVE-2018-13988.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

References

https://access.redhat.com/security/cve/CVE-2017-18267 https://access.redhat.com/security/cve/CVE-2018-10733 https://access.redhat.com/security/cve/CVE-2018-10767 https://access.redhat.com/security/cve/CVE-2018-10768 https://access.redhat.com/security/cve/CVE-2018-12910 https://access.redhat.com/security/cve/CVE-2018-13988 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: PackageKit-1.1.10-1.el7.src.rpm accountsservice-0.6.50-2.el7.src.rpm adwaita-icon-theme-3.28.0-1.el7.src.rpm appstream-data-7-20180614.el7.src.rpm at-spi2-atk-2.26.2-1.el7.src.rpm at-spi2-core-2.28.0-1.el7.src.rpm atk-2.28.1-1.el7.src.rpm baobab-3.28.0-2.el7.src.rpm bolt-0.4-3.el7.src.rpm brasero-3.12.2-5.el7.src.rpm cairo-1.15.12-3.el7.src.rpm cheese-3.28.0-1.el7.src.rpm clutter-gst3-3.0.26-1.el7.src.rpm compat-exiv2-023-0.23-2.el7.src.rpm control-center-3.28.1-4.el7.src.rpm dconf-0.28.0-4.el7.src.rpm dconf-editor-3.28.0-1.el7.src.rpm ekiga-4.0.1-8.el7.src.rpm empathy-3.12.13-1.el7.src.rpm eog-3.28.3-1.el7.src.rpm evince-3.28.2-5.el7.src.rpm evolution-3.28.5-2.el7.src.rpm evolution-data-server-3.28.5-1.el7.src.rpm evolution-ews-3.28.5-1.el7.src.rpm evolution-mapi-3.28.3-2.el7.src.rpm file-roller-3.28.1-2.el7.src.rpm flatpak-1.0.2-2.el7.src.rpm folks-0.11.4-1.el7.src.rpm fontconfig-2.13.0-4.3.el7.src.rpm freetype-2.8-12.el7.src.rpm fribidi-1.0.2-1.el7.src.rpm fwupd-1.0.8-4.el7.src.rpm fwupdate-12-5.el7.src.rpm gcr-3.28.0-1.el7.src.rpm gdk-pixbuf2-2.36.12-3.el7.src.rpm gdm-3.28.2-9.el7.src.rpm gedit-3.28.1-1.el7.src.rpm gedit-plugins-3.28.1-1.el7.src.rpm

Read the Full Advisory


Advisory ID: RHSA-2018:3140-01
Product: Red Hat Enterprise Linux
Issue date: 2018-10-30

Topic

An update is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, noarch, ppc64le, s390x

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, noarch, ppc64le, s390x

Bugs Fixed

1309776 - [abrt] gvfs-mtp: sync_transfer_wait_for_completion(): gvfsd-mtp killed by SIGSEGV

1347188 - [abrt] [faf] gnome-shell: gray_record_cell(): /usr/bin/gnome-shell killed by 11

1396775 - Cover art placeholder visible when viewing disabled.

1415697 - No authentication dialog for samba printers1423374 - gnome-shell crashes with signal 11 due to NULL value passed to _clutter_input_device_reset_scroll_info()

1451211 - File conflicts when updating totem

1473167 - There is a NULL pointer dereference in gxps-archive.c in libgxps library .

1484094 - fontconfig-2.10.95-11.el7 pulls random fonts as a dependency

1486064 - gsd selects incorrect backlight on some DRM PRIME configurations

1491720 - reproducer: failed assertion by input through a pipe and then sudo to: accounts-daemon

1497303 - X no longer activates hotplugged monitors if started without one

1501989 - Need to be able to have different language keyboard layout as the first priority on gdm login screen

1502788 - gdkscreen-x11: Don't try to calculate a refresh rate when the XRRModeInfo doesn't have one

1503624 - webkitgtk4: Crash on Google login page when a11y is active

1504129 - Request for Evolution 3.28 series (latest stable)

1507892 - bad post install scripts

1511454 - Inconsistent shell version shown on multiple places

1514182 - the system menu shows a blank space in the VPN item

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.