- Arch-security - lists.archlinux.org

[arch-security] [ASA-201711-43] thunderbird: multiple issues
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-43 ========================================== Severity: Critical Date : 2017-11-30 CVE-ID : CVE-2017-7826 CVE-2017-7828 CVE-2017-7830 Package : thunderbird Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-530 Summary ======= The package thunderbird before version 52.5.0-1 is vulnerable to multiple issues including arbitrary code execution and same-origin policy bypass. Resolution ========== Upgrade to 52.5.0-1. # pacman -Syu "thunderbird>=52.5.0-1" The problems have been fixed upstream in version 52.5.0. Workaround ========== None. Description =========== - CVE-2017-7826 (arbitrary code execution) Several reported memory safety bugs have been found in Firefox before 57.0 and Thunderbird before 52.5. Some of these bugs showed evidence of memory corruption and with enough effort some of these could probably be exploited to run arbitrary code. - CVE-2017-7828 (arbitrary code execution) A use-after-free vulnerability can occur in Firefox before 57.0 and Thunderbird before 52.5 when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations. - CVE-2017-7830 (same-origin policy bypass) The Resource Timing API in Firefox before 57.0 and Thunderbird before 52.5 incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. Impact ====== A remote attacker is able to bypass same-origin policy restrictions or execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/ https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1394530%2C1369561%2C1411458… https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828 https://bugzilla.mozilla.org/show_bug.cgi?id=1406750 https://bugzilla.mozilla.org/show_bug.cgi?id=1412252 https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830 https://bugzilla.mozilla.org/show_bug.cgi?id=1408990 https://security.archlinux.org/CVE-2017-7826 https://security.archlinux.org/CVE-2017-7828 https://security.archlinux.org/CVE-2017-7830

1 0

[arch-security] [ASA-201711-42] lib32-libxcursor: arbitrary code execution
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-42 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-16612 Package : lib32-libxcursor Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-532 Summary ======= The package lib32-libxcursor before version 1.1.15-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.1.15-1. # pacman -Syu "lib32-libxcursor>=1.1.15-1" The problem has been fixed upstream in version 1.1.15. Workaround ========== None. Description =========== It was discovered that libxcursor before 1.1.15 is vulnerable to heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. An attacker could use local privileges or trick a user into parsing a malicious file to cause libxcursor to crash, resulting in a denial of service, or possibly execute arbitrary code. Impact ====== An attacker could use local privileges or trick a user into parsing a malicious image file to cause libxcursor to crash, resulting in a denial of service, or possibly execute arbitrary code. References ========== http://openwall.com/lists/oss-security/2017/11/28/6 https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd3468815… https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 https://security.archlinux.org/CVE-2017-16612

1 0

[arch-security] [ASA-201711-41] libxcursor: arbitrary code execution
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-41 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-16612 Package : libxcursor Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-531 Summary ======= The package libxcursor before version 1.1.15-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.1.15-1. # pacman -Syu "libxcursor>=1.1.15-1" The problem has been fixed upstream in version 1.1.15. Workaround ========== None. Description =========== It was discovered that libxcursor before 1.1.15 is vulnerable to heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. An attacker could use local privileges or trick a user into parsing a malicious file to cause libxcursor to crash, resulting in a denial of service, or possibly execute arbitrary code. Impact ====== An attacker could use local privileges or trick a user into parsing a malicious image file to cause libxcursor to crash, resulting in a denial of service, or possibly execute arbitrary code. References ========== http://openwall.com/lists/oss-security/2017/11/28/6 https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd3468815… https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 https://security.archlinux.org/CVE-2017-16612

1 0

[arch-security] [ASA-201711-40] shadowsocks-libev: arbitrary command execution
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-40 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-15924 Package : shadowsocks-libev Type : arbitrary command execution Remote : No Link : https://security.archlinux.org/AVG-474 Summary ======= The package shadowsocks-libev before version 3.1.1-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 3.1.1-1. # pacman -Syu "shadowsocks-libev>=3.1.1-1" The problem has been fixed upstream in version 3.1.1. Workaround ========== None. Description =========== In manager.c in ss-manager in shadowsocks-libev before 3.1.1, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions. Impact ====== A local attacker could send a specially crafted configuration request to localhost that, when processed by ss-manager, leads to the execution of arbitrary commands as the user running ss-manager. References ========== http://openwall.com/lists/oss-security/2017/10/13/2 https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c5… https://github.com/shadowsocks/shadowsocks-libev/issues/1734 https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/ https://security.archlinux.org/CVE-2017-15924

1 0

[arch-security] [ASA-201711-39] procmail: arbitrary code execution
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-39 ========================================== Severity: Critical Date : 2017-11-30 CVE-ID : CVE-2017-16844 Package : procmail Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-515 Summary ======= The package procmail before version 3.22-9 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 3.22-9. # pacman -Syu "procmail>=3.22-9" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A heap-based buffer overflow flaw was found in the loadbuf function in formisc.c in the formail utility in procmail <= 3.22 because of a hardcoded realloc size. When the buffer is too small, the function tries to resize it, but only by Bsize (=128) bytes which is not necessarily enough. A remote attacker could send a specially crafted email that, when processed by formail, could cause formail to crash or, possibly, execute arbitrary code as the user running formail. Impact ====== A remote attacker could send a specially crafted email that, when processed by formail, could cause formail to crash or, possibly, execute arbitrary code as the user running formail. References ========== https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511 https://security.archlinux.org/CVE-2017-16844

1 0

[arch-security] [ASA-201711-38] lib32-libcurl-compat: multiple issues
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-38 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818 Package : lib32-libcurl-compat Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-522 Summary ======= The package lib32-libcurl-compat before version 7.57.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 7.57.0-1. # pacman -Syu "lib32-libcurl-compat>=7.57.0-1" The problems have been fixed upstream in version 7.57.0. Workaround ========== None. Description =========== - CVE-2017-8816 (arbitrary code execution) A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0, in the NTLM authentication code. The internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap. The SUM value is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit `size_t`, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun. This is only an issue on 32 bit systems. It also requires the user and password fields to use more than 2GB of memory combined, which in itself should be rare. - CVE-2017-8817 (information disclosure) A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. - CVE-2017-8818 (arbitrary code execution) An out-of-bounds flaw has been found in the SSL related code of libcurl >= 7.56.0 and < 7.57.0. When allocating memory for a connection (the internal struct called connectdata), a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL library libcurl is built to use. The application can also tell libcurl which specific SSL library to use if it was built to support more than one. The math used to calculate the extra memory amount necessary for the SSL library was wrong on 32 bit systems, which made the allocated memory too small by 4 bytes. The last struct member of the last object within the memory area could then be outside of what was allocated. Accessing that member could lead to a crash or other undefined behaviors depending on what memory that is present there and how the particular SSL library decides to act on that memory content. Specifically the vulnerability is present if libcurl was built so that sizeof(long long *) < sizeof(long long) which as far as we are aware only happens in 32-bit builds. Impact ====== A remote attacker is able to crash the application, possibly disclose sensitive information or execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/adv_2017-11e7.html https://curl.haxx.se/docs/adv_2017-ae72.html https://curl.haxx.se/docs/adv_2017-af0a.html https://curl.haxx.se/CVE-2017-8816.patch https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc https://curl.haxx.se/CVE-2017-8817.patch https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3 https://curl.haxx.se/CVE-2017-8818.patch https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400 https://security.archlinux.org/CVE-2017-8816 https://security.archlinux.org/CVE-2017-8817 https://security.archlinux.org/CVE-2017-8818

1 0

[arch-security] [ASA-201711-37] lib32-libcurl-gnutls: multiple issues
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-37 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818 Package : lib32-libcurl-gnutls Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-523 Summary ======= The package lib32-libcurl-gnutls before version 7.57.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 7.57.0-1. # pacman -Syu "lib32-libcurl-gnutls>=7.57.0-1" The problems have been fixed upstream in version 7.57.0. Workaround ========== None. Description =========== - CVE-2017-8816 (arbitrary code execution) A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0, in the NTLM authentication code. The internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap. The SUM value is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit `size_t`, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun. This is only an issue on 32 bit systems. It also requires the user and password fields to use more than 2GB of memory combined, which in itself should be rare. - CVE-2017-8817 (information disclosure) A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. - CVE-2017-8818 (arbitrary code execution) An out-of-bounds flaw has been found in the SSL related code of libcurl >= 7.56.0 and < 7.57.0. When allocating memory for a connection (the internal struct called connectdata), a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL library libcurl is built to use. The application can also tell libcurl which specific SSL library to use if it was built to support more than one. The math used to calculate the extra memory amount necessary for the SSL library was wrong on 32 bit systems, which made the allocated memory too small by 4 bytes. The last struct member of the last object within the memory area could then be outside of what was allocated. Accessing that member could lead to a crash or other undefined behaviors depending on what memory that is present there and how the particular SSL library decides to act on that memory content. Specifically the vulnerability is present if libcurl was built so that sizeof(long long *) < sizeof(long long) which as far as we are aware only happens in 32-bit builds. Impact ====== A remote attacker is able to crash the application, possibly disclose sensitive information or execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/adv_2017-11e7.html https://curl.haxx.se/docs/adv_2017-ae72.html https://curl.haxx.se/docs/adv_2017-af0a.html https://curl.haxx.se/CVE-2017-8816.patch https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc https://curl.haxx.se/CVE-2017-8817.patch https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3 https://curl.haxx.se/CVE-2017-8818.patch https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400 https://security.archlinux.org/CVE-2017-8816 https://security.archlinux.org/CVE-2017-8817 https://security.archlinux.org/CVE-2017-8818

1 0

[arch-security] [ASA-201711-36] lib32-curl: multiple issues
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-36 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818 Package : lib32-curl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-521 Summary ======= The package lib32-curl before version 7.57.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 7.57.0-1. # pacman -Syu "lib32-curl>=7.57.0-1" The problems have been fixed upstream in version 7.57.0. Workaround ========== None. Description =========== - CVE-2017-8816 (arbitrary code execution) A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0, in the NTLM authentication code. The internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap. The SUM value is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit `size_t`, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun. This is only an issue on 32 bit systems. It also requires the user and password fields to use more than 2GB of memory combined, which in itself should be rare. - CVE-2017-8817 (information disclosure) A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. - CVE-2017-8818 (arbitrary code execution) An out-of-bounds flaw has been found in the SSL related code of libcurl >= 7.56.0 and < 7.57.0. When allocating memory for a connection (the internal struct called connectdata), a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL library libcurl is built to use. The application can also tell libcurl which specific SSL library to use if it was built to support more than one. The math used to calculate the extra memory amount necessary for the SSL library was wrong on 32 bit systems, which made the allocated memory too small by 4 bytes. The last struct member of the last object within the memory area could then be outside of what was allocated. Accessing that member could lead to a crash or other undefined behaviors depending on what memory that is present there and how the particular SSL library decides to act on that memory content. Specifically the vulnerability is present if libcurl was built so that sizeof(long long *) < sizeof(long long) which as far as we are aware only happens in 32-bit builds. Impact ====== A remote attacker is able to crash the application, possibly disclose sensitive information or execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/adv_2017-11e7.html https://curl.haxx.se/docs/adv_2017-ae72.html https://curl.haxx.se/docs/adv_2017-af0a.html https://curl.haxx.se/CVE-2017-8816.patch https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc https://curl.haxx.se/CVE-2017-8817.patch https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3 https://curl.haxx.se/CVE-2017-8818.patch https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400 https://security.archlinux.org/CVE-2017-8816 https://security.archlinux.org/CVE-2017-8817 https://security.archlinux.org/CVE-2017-8818

1 0

[arch-security] [ASA-201711-35] libcurl-compat: information disclosure
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-35 ========================================== Severity: Medium Date : 2017-11-30 CVE-ID : CVE-2017-8817 Package : libcurl-compat Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-526 Summary ======= The package libcurl-compat before version 7.57.0-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 7.57.0-1. # pacman -Syu "libcurl-compat>=7.57.0-1" The problem has been fixed upstream in version 7.57.0. Workaround ========== None. Description =========== A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. Impact ====== A remote attacker is able to crash the application or possibly disclose sensitive information on the affected host. References ========== https://curl.haxx.se/docs/adv_2017-ae72.html https://curl.haxx.se/CVE-2017-8817.patch https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3 https://security.archlinux.org/CVE-2017-8817

1 0

[arch-security] [ASA-201711-34] libcurl-gnutls: information disclosure
by Levente Polyak 01 Dec '17

01 Dec '17

Arch Linux Security Advisory ASA-201711-34 ========================================== Severity: Medium Date : 2017-11-30 CVE-ID : CVE-2017-8817 Package : libcurl-gnutls Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-525 Summary ======= The package libcurl-gnutls before version 7.57.0-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 7.57.0-1. # pacman -Syu "libcurl-gnutls>=7.57.0-1" The problem has been fixed upstream in version 7.57.0. Workaround ========== None. Description =========== A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. Impact ====== A remote attacker is able to crash the application or possibly disclose sensitive information on the affected host. References ========== https://curl.haxx.se/docs/adv_2017-ae72.html https://curl.haxx.se/CVE-2017-8817.patch https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3 https://security.archlinux.org/CVE-2017-8817

1 0