安全公告详情

NS-SA-2019-0056

2019-07-17 14:57:09

简介

important: flatpak/firefox security update

严重级别

important

主题

An update for flatpak/firefox is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

flatpak: flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.
firefox: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.


Security Fix(es):
flatpak: Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.(CVE-2019-8308)
flatpak: bugfix
firefox: Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.(CVE-2019-5785)
firefox: An integer overflow in path handling lead to a use after free in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.(CVE-2018-18356)
firefox: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F11.

影响组件

  • flatpak
  • firefox

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["flatpak-1.0.2-4.el7_6.x86_64.rpm","flatpak-builder-1.0.0-4.el7_6.x86_64.rpm","flatpak-debuginfo-1.0.2-4.el7_6.x86_64.rpm","flatpak-devel-1.0.2-4.el7_6.x86_64.rpm","flatpak-libs-1.0.2-4.el7_6.x86_64.rpm"],"source":"flatpak-1.0.2-4.el7_6.src.rpm"},{"binary":["firefox-60.5.1-1.el7.centos.x86_64.rpm","firefox-debuginfo-60.5.1-1.el7.centos.x86_64.rpm"],"source":"firefox-60.5.1-1.el7.centos.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["flatpak-libs-1.0.2-4.el7_6.x86_64.rpm","flatpak-1.0.2-4.el7_6.x86_64.rpm","flatpak-builder-1.0.0-4.el7_6.x86_64.rpm","flatpak-debuginfo-1.0.2-4.el7_6.x86_64.rpm","flatpak-devel-1.0.2-4.el7_6.x86_64.rpm"],"source":"flatpak-1.0.2-4.el7_6.src.rpm"},{"binary":["firefox-60.5.1-1.el7.centos.x86_64.rpm","firefox-debuginfo-60.5.1-1.el7.centos.x86_64.rpm"],"source":"firefox-60.5.1-1.el7.centos.src.rpm"}]}]}

CVE

参考