From santiago at archlinux.org Tue May 7 20:52:00 2019 From: santiago at archlinux.org (Santiago Torres-Arias) Date: Tue, 7 May 2019 16:52:00 -0400 Subject: [ASA-201905-1] munin: arbitrary file overwrite Message-ID: <20190507205200.4xkupn6m2rmhibnl@LykOS.localdomain> Arch Linux Security Advisory ASA-201905-1 ========================================= Severity: High Date : 2019-05-06 CVE-ID : CVE-2017-6188 Package : munin Type : arbitrary file overwrite Remote : Yes Link : https://security.archlinux.org/AVG-953 Summary ======= The package munin before version 2.0.47-1 is vulnerable to arbitrary file overwrite. Resolution ========== Upgrade to 2.0.47-1. # pacman -Syu "munin>=2.0.47-1" The problem has been fixed upstream in version 2.0.47. Workaround ========== None. Description =========== A vulnerability in munin allows attackers to overwrite any file accessible to the webserver user by setting multiple upper_limit GET parameters when CGI graphs are enabled. Impact ====== A remote attacker is able to overwrite arbitrary files on the filesystem. References ========== https://bugs.archlinux.org/task/57537 https://www.debian.org/security/2017/dsa-3794 https://github.com/munin-monitoring/munin/pull/797/commits/42ce18f24d3eae8be33526a198bf21e4f2330230 https://security.archlinux.org/CVE-2017-6188 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From santiago at archlinux.org Tue May 7 20:52:48 2019 From: santiago at archlinux.org (Santiago Torres-Arias) Date: Tue, 7 May 2019 16:52:48 -0400 Subject: [ASA-201905-2] linux: arbitrary code execution Message-ID: <20190507205247.oygtekmdtiljvzgi@LykOS.localdomain> Arch Linux Security Advisory ASA-201905-2 ========================================= Severity: High Date : 2019-05-06 CVE-ID : CVE-2019-11683 Package : linux Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-955 Summary ======= The package linux before version 5.0.12.arch2-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.0.12.arch2-1. # pacman -Syu "linux>=5.0.12.arch2-1" The problem has been fixed upstream in version 5.0.12.arch2. Workaround ========== None. Description =========== udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x through 5.0.11 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the "GRO packet of death" issue. Impact ====== A remote attacker is able to cause a denial of service possibly leading to remote code execution by sending UDP packets with a special payload. References ========== https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=4dd2b82d5adfbe0b1587ccad7a8f76d826120f37 http://www.securityfocus.com/bid/108142 http://www.openwall.com/lists/oss-security/2019/05/05/4 http://www.openwall.com/lists/oss-security/2019/05/02/1 https://security.archlinux.org/CVE-2019-11683 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From santiago at archlinux.org Tue May 7 20:53:13 2019 From: santiago at archlinux.org (Santiago Torres-Arias) Date: Tue, 7 May 2019 16:53:13 -0400 Subject: [ASA-201905-3] nautilus: sandbox escape Message-ID: <20190507205313.oxpvfa6gonby4k5j@LykOS.localdomain> Arch Linux Security Advisory ASA-201905-3 ========================================= Severity: High Date : 2019-05-06 CVE-ID : CVE-2019-11461 Package : nautilus Type : sandbox escape Remote : No Link : https://security.archlinux.org/AVG-956 Summary ======= The package nautilus before version 3.32.1-1 is vulnerable to sandbox escape. Resolution ========== Upgrade to 3.32.1-1. # pacman -Syu "nautilus>=3.32.1-1" The problem has been fixed upstream in version 3.32.1. Workaround ========== None. Description =========== An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063. Impact ====== A local attacker is able to escape the sandbox. References ========== https://gitlab.gnome.org/GNOME/nautilus/issues/987 https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659 https://security.archlinux.org/CVE-2019-11461 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From santiago at archlinux.org Tue May 7 20:53:59 2019 From: santiago at archlinux.org (Santiago Torres-Arias) Date: Tue, 7 May 2019 16:53:59 -0400 Subject: [ASA-201905-4] linux-zen: arbitrary code execution Message-ID: <20190507205359.sxnlm3pub7ir7pkf@LykOS.localdomain> Arch Linux Security Advisory ASA-201905-4 ========================================= Severity: High Date : 2019-05-06 CVE-ID : CVE-2019-11683 Package : linux-zen Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-957 Summary ======= The package linux-zen before version 5.0.12.zen2-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.0.12.zen2-1. # pacman -Syu "linux-zen>=5.0.12.zen2-1" The problem has been fixed upstream in version 5.0.12.zen2. Workaround ========== None. Description =========== udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x through 5.0.11 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the "GRO packet of death" issue. Impact ====== A remote attacker is able to cause a denial of service possibly leading to remote code execution by sending UDP packets with a special payload. References ========== https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=4dd2b82d5adfbe0b1587ccad7a8f76d826120f37 http://www.securityfocus.com/bid/108142 http://www.openwall.com/lists/oss-security/2019/05/05/4 http://www.openwall.com/lists/oss-security/2019/05/02/1 https://security.archlinux.org/CVE-2019-11683 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From santiago at archlinux.org Tue May 7 20:54:31 2019 From: santiago at archlinux.org (Santiago Torres-Arias) Date: Tue, 7 May 2019 16:54:31 -0400 Subject: [ASA-201905-5] tcpreplay: multiple issues Message-ID: <20190507205431.alsz34ko27l3xy2e@LykOS.localdomain> Arch Linux Security Advisory ASA-201905-5 ========================================= Severity: High Date : 2019-05-06 CVE-ID : CVE-2019-8376 CVE-2019-8377 CVE-2019-8381 Package : tcpreplay Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-902 Summary ======= The package tcpreplay before version 4.3.2-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 4.3.2-1. # pacman -Syu "tcpreplay>=4.3.2-1" The problems have been fixed upstream in version 4.3.2. Workaround ========== None. Description =========== - CVE-2019-8376 (denial of service) An issue was discovered in tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_layer4_v6() located at get.c. This can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. - CVE-2019-8377 (denial of service) An issue was discovered in tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_ipv6_l4proto() located at get.c. This can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. - CVE-2019-8381 (arbitrary code execution) An issue was discovered in tcpreplay 4.3.1. An invalid memory access occurs in do_checksum in checksum.c. It can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. Impact ====== A remote attacker is able to cause a denial of service, or execute arbitrary code, with a specially crafted pcap file. References ========== https://github.com/appneta/tcpreplay/issues/537 https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-function-get_layer4_v6-tcpreplay-4-3-1/ https://github.com/appneta/tcpreplay/issues/536 https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-function-get_ipv6_l4proto-tcpreplay-4-3-1/ https://research.loginsoft.com/bugs/invalid-memory-access-vulnerability-in-function-do_checksum-tcpreplay-4-3-1/ https://github.com/appneta/tcpreplay/issues/538 https://github.com/appneta/tcpreplay/pull/548/commits/dae97cbafc5c06ebbc6b34e76ba614104f1b73e1 https://security.archlinux.org/CVE-2019-8376 https://security.archlinux.org/CVE-2019-8377 https://security.archlinux.org/CVE-2019-8381 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From santiago at archlinux.org Tue May 7 20:55:06 2019 From: santiago at archlinux.org (Santiago Torres-Arias) Date: Tue, 7 May 2019 16:55:06 -0400 Subject: [ASA-201905-6] dovecot: denial of service Message-ID: <20190507205506.z7b2sdkqjm4vovkw@LykOS.localdomain> Arch Linux Security Advisory ASA-201905-6 ========================================= Severity: Medium Date : 2019-05-06 CVE-ID : CVE-2019-11494 CVE-2019-11499 Package : dovecot Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-954 Summary ======= The package dovecot before version 2.3.6-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.3.6-1. # pacman -Syu "dovecot>=2.3.6-1" The problems have been fixed upstream in version 2.3.6. Workaround ========== None. Description =========== - CVE-2019-11494 (denial of service) Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of service attack by persistent attacker(s). - CVE-2019-11499 (denial of service) Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s). Impact ====== A remote attacker is able to cause a denial of service by sending invalid authentication messages or aborting the authentication process. References ========== https://dovecot.org/doc/NEWS-2.3 https://www.mail-archive.com/fulldisclosure at seclists.org/msg06126.html https://dovecot.org/pipermail/dovecot/2019-April/115757.html https://dovecot.org/pipermail/dovecot/2019-April/115758.html https://security.archlinux.org/CVE-2019-11494 https://security.archlinux.org/CVE-2019-11499 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From santiago at archlinux.org Tue May 7 20:55:33 2019 From: santiago at archlinux.org (Santiago Torres-Arias) Date: Tue, 7 May 2019 16:55:33 -0400 Subject: [ASA-201905-7] perl-email-address: denial of service Message-ID: <20190507205532.ui3kj6mni4kngan4@LykOS.localdomain> Arch Linux Security Advisory ASA-201905-7 ========================================= Severity: Low Date : 2019-05-06 CVE-ID : CVE-2018-12558 Package : perl-email-address Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-722 Summary ======= The package perl-email-address before version 1.912-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.912-1. # pacman -Syu "perl-email-address>=1.912-1" The problem has been fixed upstream in version 1.912. Workaround ========== None. Description =========== perl-email-address 1.909 is vulnerable to Algorithm Complexity problem and can cause Denial of Service when attacker prepares specially crafted input. Impact ====== A remote attacker can cause a denial of service via specially crafted input. References ========== https://github.com/Perl-Email-Project/Email-Address/issues/19 http://www.openwall.com/lists/oss-security/2018/06/19/3 https://security.archlinux.org/CVE-2018-12558 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From rgacogne at archlinux.org Tue May 28 13:30:55 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Tue, 28 May 2019 15:30:55 +0200 Subject: [ASA-201905-8] thunderbird: multiple issues Message-ID: Arch Linux Security Advisory ASA-201905-8 ========================================= Severity: Critical Date : 2019-05-23 CVE-ID : CVE-2019-5798 CVE-2019-7317 CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11698 CVE-2019-18511 Package : thunderbird Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-965 Summary ======= The package thunderbird before version 60.7.0-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, same-origin policy bypass, information disclosure and denial of service. Resolution ========== Upgrade to 60.7.0-1. # pacman -Syu "thunderbird>=60.7.0-1" The problems have been fixed upstream in version 60.7.0. Workaround ========== None. Description =========== - CVE-2019-5798 (information disclosure) An out-of-bounds read has been found in the Skia component of the chromium browser before 73.0.3683.75 and Thunderbird before 60.7.0. - CVE-2019-7317 (denial of service) png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute. - CVE-2019-9800 (arbitrary code execution) Several memory safety bugs have been found in Firefox before 67.0 and Thunderbird before 60.7.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2019-9816 (access restriction bypass) A possible vulnerability exists in Firefox before 67.0 and Thunderbird before 60.7.0, where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. Note that this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases. - CVE-2019-9817 (same-origin policy bypass) In Firefox before 67.0 and Thunderbird before 60.7.0, images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. - CVE-2019-9819 (arbitrary code execution) A vulnerability where a JavaScript compartment mismatch can occur in Firefox before 67.0 and Thunderbird before 60.7.0, while working with the fetch API, resulting in a potentially exploitable crash. - CVE-2019-11691 (arbitrary code execution) A use-after-free vulnerability can occur in Firefox before 67.0 and Thunderbird before 60.7.0, when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. - CVE-2019-11692 (arbitrary code execution) A use-after-free vulnerability can occur in Firefox before 67.0 and Thunderbird before 60.7.0, when listeners are removed from the event listener manager while still in use, resulting in a potentially exploitable crash. - CVE-2019-11693 (arbitrary code execution) The bufferdata function in WebGL in Firefox before 67.0 and Thunderbird before 60.7.0 is vulnerable to a buffer overflow with specific graphics drivers on Linux. This could result in malicious content freezing a tab or triggering a potentially exploitable crash. - CVE-2019-11698 (information disclosure) If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar in Firefox before 67.0 or Thunderbird before 60.7.0, and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. - CVE-2019-18511 (same-origin policy bypass) An issue has been found in Thunderbird before 60.7.0, where cross- origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method. Impact ====== A remote attacker can crash Thunderbird, access sensitive information, bypass security measures or execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/ https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-5798 https://bugs.chromium.org/p/chromium/issues/detail?id=883596 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 https://github.com/glennrp/libpng/issues/275 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9800 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1540166%2C1534593%2C1546327%2C1540136%2C1538736%2C1538042%2C1535612%2C1499719%2C1499108%2C1538619%2C1535194%2C1516325%2C1542324%2C1542097%2C1532465%2C1533554%2C1541580 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9816 https://bugzilla.mozilla.org/show_bug.cgi?id=1536768 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9817 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9817 https://bugzilla.mozilla.org/show_bug.cgi?id=1540221 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9819 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9819 https://bugzilla.mozilla.org/show_bug.cgi?id=1532553 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11691 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11691 https://bugzilla.mozilla.org/show_bug.cgi?id=1542465 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11692 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11692 https://bugzilla.mozilla.org/show_bug.cgi?id=1544670 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11693 https://bugzilla.mozilla.org/show_bug.cgi?id=1532525 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11698 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11698 https://bugzilla.mozilla.org/show_bug.cgi?id=1543191 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2018-18511 https://bugzilla.mozilla.org/show_bug.cgi?id=1526218 https://security.archlinux.org/CVE-2019-5798 https://security.archlinux.org/CVE-2019-7317 https://security.archlinux.org/CVE-2019-9800 https://security.archlinux.org/CVE-2019-9816 https://security.archlinux.org/CVE-2019-9817 https://security.archlinux.org/CVE-2019-9819 https://security.archlinux.org/CVE-2019-11691 https://security.archlinux.org/CVE-2019-11692 https://security.archlinux.org/CVE-2019-11693 https://security.archlinux.org/CVE-2019-11698 https://security.archlinux.org/CVE-2019-18511 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Tue May 28 13:32:12 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Tue, 28 May 2019 15:32:12 +0200 Subject: [ASA-201905-9] firefox: multiple issues Message-ID: <4ac60aab-109d-e542-aca8-6104af6323e4@archlinux.org> Arch Linux Security Advisory ASA-201905-9 ========================================= Severity: Critical Date : 2019-05-23 CVE-ID : CVE-2019-7317 CVE-2019-9800 CVE-2019-9814 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819 CVE-2019-9820 CVE-2019-9821 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11695 CVE-2019-11696 CVE-2019-11697 CVE-2019-11698 CVE-2019-11699 CVE-2019-11701 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-966 Summary ======= The package firefox before version 67.0-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, same-origin policy bypass, content spoofing, information disclosure, cross-site scripting and denial of service. Resolution ========== Upgrade to 67.0-1. # pacman -Syu "firefox>=67.0-1" The problems have been fixed upstream in version 67.0. Workaround ========== None. Description =========== - CVE-2019-7317 (denial of service) png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute. - CVE-2019-9800 (arbitrary code execution) Several memory safety bugs have been found in Firefox before 67.0 and Thunderbird before 60.7.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2019-9814 (arbitrary code execution) Several memory safety bugs have been found in Firefox before 67.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2019-9816 (access restriction bypass) A possible vulnerability exists in Firefox before 67.0 and Thunderbird before 60.7.0, where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. Note that this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases. - CVE-2019-9817 (same-origin policy bypass) In Firefox before 67.0 and Thunderbird before 60.7.0, images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. - CVE-2019-9819 (arbitrary code execution) A vulnerability where a JavaScript compartment mismatch can occur in Firefox before 67.0 and Thunderbird before 60.7.0, while working with the fetch API, resulting in a potentially exploitable crash. - CVE-2019-9820 (arbitrary code execution) A use-after-free vulnerability can occur in the chrome event handler of Firefox before 67.0 when it is freed while still in use. This results in a potentially exploitable crash. - CVE-2019-9821 (arbitrary code execution) A use-after-free vulnerability can occur in AssertWorkerThread in Firefox before 67.0, due to a race condition with shared workers. This results in a potentially exploitable crash. - CVE-2019-11691 (arbitrary code execution) A use-after-free vulnerability can occur in Firefox before 67.0 and Thunderbird before 60.7.0, when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. - CVE-2019-11692 (arbitrary code execution) A use-after-free vulnerability can occur in Firefox before 67.0 and Thunderbird before 60.7.0, when listeners are removed from the event listener manager while still in use, resulting in a potentially exploitable crash. - CVE-2019-11693 (arbitrary code execution) The bufferdata function in WebGL in Firefox before 67.0 and Thunderbird before 60.7.0 is vulnerable to a buffer overflow with specific graphics drivers on Linux. This could result in malicious content freezing a tab or triggering a potentially exploitable crash. - CVE-2019-11695 (content spoofing) In Firefox before 67.0, a custom cursor defined by scripting on a site can position itself over the addressbar to spoof the actual cursor when it should not be allowed outside of the primary web content area. This could be used by a malicious site to trick users into clicking on permission prompts, doorhanger notifications, or other buttons inadvertently if the location is spoofed over the user interface. - CVE-2019-11696 (content spoofing) In Firefox before 67.0, files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local system. This could allow users to mistakenly launch an executable binary locally. - CVE-2019-11697 (access restriction bypass) In Firefox before 67.0, if the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that keeps the prompt visible in order for users to accept or decline the installation. A malicious web page could use this with spoofing on the page to trick users into installing a malicious extension. - CVE-2019-11698 (information disclosure) If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar in Firefox before 67.0 or Thunderbird before 60.7.0, and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. - CVE-2019-11699 (content spoofing) A malicious page can briefly cause the wrong name to be highlighted as the domain name in the addressbar during page navigations in Firefox before 67.0. This could result in user confusion of which site is currently loaded for spoofing attacks. - CVE-2019-11701 (cross-site scripting) The default webcal: protocol handler in Firefox before 67.0 will load a web site vulnerable to cross-site scripting (XSS) attacks. This default was left in place as a legacy feature and has now been removed. Impact ====== A remote attacker can crash the browser, access sensitive information, bypass security measures or execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 https://github.com/glennrp/libpng/issues/275 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9800 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1540166%2C1534593%2C1546327%2C1540136%2C1538736%2C1538042%2C1535612%2C1499719%2C1499108%2C1538619%2C1535194%2C1516325%2C1542324%2C1542097%2C1532465%2C1533554%2C1541580 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9814 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1527592%2C1534536%2C1520132%2C1543159%2C1539393%2C1459932%2C1459182%2C1516425 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9816 https://bugzilla.mozilla.org/show_bug.cgi?id=1536768 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9817 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9817 https://bugzilla.mozilla.org/show_bug.cgi?id=1540221 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9819 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9819 https://bugzilla.mozilla.org/show_bug.cgi?id=1532553 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9820 https://bugzilla.mozilla.org/show_bug.cgi?id=1536405 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9821 https://bugzilla.mozilla.org/show_bug.cgi?id=1539125 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11691 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11691 https://bugzilla.mozilla.org/show_bug.cgi?id=1542465 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11692 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11692 https://bugzilla.mozilla.org/show_bug.cgi?id=1544670 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11693 https://bugzilla.mozilla.org/show_bug.cgi?id=1532525 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11695 https://bugzilla.mozilla.org/show_bug.cgi?id=1445844 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11696 https://bugzilla.mozilla.org/show_bug.cgi?id=1392955 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11697 https://bugzilla.mozilla.org/show_bug.cgi?id=1440079 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11698 https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11698 https://bugzilla.mozilla.org/show_bug.cgi?id=1543191 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699 https://bugzilla.mozilla.org/show_bug.cgi?id=1528939 https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11701 https://bugzilla.mozilla.org/show_bug.cgi?id=1518627 https://security.archlinux.org/CVE-2019-7317 https://security.archlinux.org/CVE-2019-9800 https://security.archlinux.org/CVE-2019-9814 https://security.archlinux.org/CVE-2019-9816 https://security.archlinux.org/CVE-2019-9817 https://security.archlinux.org/CVE-2019-9819 https://security.archlinux.org/CVE-2019-9820 https://security.archlinux.org/CVE-2019-9821 https://security.archlinux.org/CVE-2019-11691 https://security.archlinux.org/CVE-2019-11692 https://security.archlinux.org/CVE-2019-11693 https://security.archlinux.org/CVE-2019-11695 https://security.archlinux.org/CVE-2019-11696 https://security.archlinux.org/CVE-2019-11697 https://security.archlinux.org/CVE-2019-11698 https://security.archlinux.org/CVE-2019-11699 https://security.archlinux.org/CVE-2019-11701 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Tue May 28 15:08:51 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Tue, 28 May 2019 17:08:51 +0200 Subject: [ASA-201905-10] webkit2gtk: multiple issues Message-ID: Arch Linux Security Advisory ASA-201905-10 ========================================== Severity: Critical Date : 2019-05-28 CVE-ID : CVE-2019-8595 CVE-2019-8607 CVE-2019-8615 Package : webkit2gtk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-967 Summary ======= The package webkit2gtk before version 2.24.2-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 2.24.2-1. # pacman -Syu "webkit2gtk>=2.24.2-1" The problems have been fixed upstream in version 2.24.2. Workaround ========== None. Description =========== - CVE-2019-8595 (arbitrary code execution) Multiple memory corruption issues have been found in WebKitGTK before 2.24.2, where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8607 (information disclosure) An out-of-bounds read has been found in WebKitGTK before 2.24.2, where processing maliciously crafted web content may result in the disclosure of process memory. - CVE-2019-8615 (arbitrary code execution) Multiple memory corruption issues have been found in WebKitGTK before 2.24.2, where processing maliciously crafted web content may lead to arbitrary code execution. Impact ====== A remote attacker can access sensitive information or execute arbitrary code on the affected host via crafted web content. References ========== https://webkitgtk.org/security/WSA-2019-0003.html https://webkitgtk.org/security/WSA-2019-0003.html#CVE-2019-8595 https://webkitgtk.org/security/WSA-2019-0003.html#CVE-2019-8607 https://webkitgtk.org/security/WSA-2019-0003.html#CVE-2019-8615 https://security.archlinux.org/CVE-2019-8595 https://security.archlinux.org/CVE-2019-8607 https://security.archlinux.org/CVE-2019-8615 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Fri May 31 15:53:29 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Fri, 31 May 2019 17:53:29 +0200 Subject: [ASA-201905-11] libcurl-compat: arbitrary code execution Message-ID: <9337b24c-8434-9edb-5da5-9bca9dc585a2@archlinux.org> Arch Linux Security Advisory ASA-201905-11 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5436 Package : libcurl-compat Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-959 Summary ======= The package libcurl-compat before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "libcurl-compat>=7.65.0-1" The problem has been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5436 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Fri May 31 15:54:01 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Fri, 31 May 2019 17:54:01 +0200 Subject: [ASA-201905-12] libcurl-gnutls: arbitrary code execution Message-ID: Arch Linux Security Advisory ASA-201905-12 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5436 Package : libcurl-gnutls Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-960 Summary ======= The package libcurl-gnutls before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "libcurl-gnutls>=7.65.0-1" The problem has been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5436 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Fri May 31 15:54:48 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Fri, 31 May 2019 17:54:48 +0200 Subject: [ASA-201905-13] lib32-libcurl-gnutls: arbitrary code execution Message-ID: Arch Linux Security Advisory ASA-201905-13 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5435 CVE-2019-5436 Package : lib32-libcurl-gnutls Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-961 Summary ======= The package lib32-libcurl-gnutls before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "lib32-libcurl-gnutls>=7.65.0-1" The problems have been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== - CVE-2019-5435 (arbitrary code execution) libcurl before 7.65.0 contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32 bit architectures and require excessive string input lengths. - CVE-2019-5436 (arbitrary code execution) libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. A remote attacker can execute arbitrary code on the affected host via a crafted URL part of excessive length. References ========== https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/5fc28510a4664f4 https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5435 https://security.archlinux.org/CVE-2019-5436 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Fri May 31 15:55:34 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Fri, 31 May 2019 17:55:34 +0200 Subject: [ASA-201905-14] lib32-libcurl-compat: arbitrary code execution Message-ID: <023b0ea5-329e-377b-0db0-adfb9619e6dc@archlinux.org> Arch Linux Security Advisory ASA-201905-14 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5435 CVE-2019-5436 Package : lib32-libcurl-compat Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-962 Summary ======= The package lib32-libcurl-compat before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "lib32-libcurl-compat>=7.65.0-1" The problems have been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== - CVE-2019-5435 (arbitrary code execution) libcurl before 7.65.0 contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32 bit architectures and require excessive string input lengths. - CVE-2019-5436 (arbitrary code execution) libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. A remote attacker can execute arbitrary code on the affected host via a crafted URL part of excessive length. References ========== https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/5fc28510a4664f4 https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5435 https://security.archlinux.org/CVE-2019-5436 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Fri May 31 15:56:05 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Fri, 31 May 2019 17:56:05 +0200 Subject: [ASA-201905-15] lib32-curl: arbitrary code execution Message-ID: <2dcde865-456e-c785-50a9-3c0d4495b6fb@archlinux.org> Arch Linux Security Advisory ASA-201905-15 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5435 CVE-2019-5436 Package : lib32-curl Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-963 Summary ======= The package lib32-curl before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "lib32-curl>=7.65.0-1" The problems have been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== - CVE-2019-5435 (arbitrary code execution) libcurl before 7.65.0 contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32 bit architectures and require excessive string input lengths. - CVE-2019-5436 (arbitrary code execution) libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. A remote attacker can execute arbitrary code on the affected host via a crafted URL part of excessive length. References ========== https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/5fc28510a4664f4 https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5435 https://security.archlinux.org/CVE-2019-5436 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Fri May 31 15:56:36 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Fri, 31 May 2019 17:56:36 +0200 Subject: [ASA-201905-16] curl: arbitrary code execution Message-ID: <1996d410-33a3-84f1-3f4c-ede5f0ec449f@archlinux.org> Arch Linux Security Advisory ASA-201905-16 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5436 Package : curl Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-964 Summary ======= The package curl before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "curl>=7.65.0-1" The problem has been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5436 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Fri May 31 15:57:08 2019 From: rgacogne at archlinux.org (Remi Gacogne) Date: Fri, 31 May 2019 17:57:08 +0200 Subject: [ASA-201905-17] live-media: multiple issues Message-ID: <257b8658-b2d5-7122-b4db-a99acb703f2b@archlinux.org> Arch Linux Security Advisory ASA-201905-17 ========================================== Severity: Critical Date : 2019-05-31 CVE-ID : CVE-2019-7314 CVE-2019-7733 Package : live-media Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-870 Summary ======= The package live-media before version 2019.05.12-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 2019.05.12-1. # pacman -Syu "live-media>=2019.05.12-1" The problems have been fixed upstream in version 2019.05.12. Workaround ========== None. Description =========== - CVE-2019-7314 (arbitrary code execution) liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a use-after-free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact. - CVE-2019-7733 (denial of service) In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed. Impact ====== A remote attacker can cause a crash or execute arbitrary code on the affected host via a crafted stream packet. References ========== http://lists.live555.com/pipermail/live-devel/2019-February/021143.html http://www.live555.com/liveMedia/public/changelog.txt https://github.com/rgaufman/live555/issues/21 https://security.archlinux.org/CVE-2019-7314 https://security.archlinux.org/CVE-2019-7733 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: