Arch Linux 803 Published by

The following security updates has been released for Arch Linux:

ASA-201812-2: chromium: multiple issues
ASA-201812-3: wireshark-cli: multiple issues
ASA-201812-4: texlive-bin: arbitrary code execution
ASA-201812-5: openssl: private key recovery
ASA-201812-6: lib32-openssl: private key recovery
ASA-201812-7: lib32-openssl-1.0: private key recovery
ASA-201812-8: openssl-1.0: private key recovery



ASA-201812-2: chromium: multiple issues

Arch Linux Security Advisory ASA-201812-2
=========================================

Severity: Critical
Date : 2018-12-08
CVE-ID : CVE-2018-17480 CVE-2018-17481 CVE-2018-18335 CVE-2018-18336
CVE-2018-18337 CVE-2018-18338 CVE-2018-18339 CVE-2018-18340
CVE-2018-18341 CVE-2018-18342 CVE-2018-18343 CVE-2018-18344
CVE-2018-18345 CVE-2018-18346 CVE-2018-18347 CVE-2018-18348
CVE-2018-18349 CVE-2018-18350 CVE-2018-18351 CVE-2018-18352
CVE-2018-18353 CVE-2018-18354 CVE-2018-18355 CVE-2018-18356
CVE-2018-18357 CVE-2018-18358 CVE-2018-18359
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-824

Summary
=======

The package chromium before version 71.0.3578.80-1 is vulnerable to
multiple issues including arbitrary code execution, access restriction
bypass, information disclosure and insufficient validation.

Resolution
==========

Upgrade to 71.0.3578.80-1.

# pacman -Syu "chromium>=71.0.3578.80-1"

The problems have been fixed upstream in version 71.0.3578.80.

Workaround
==========

None.

Description
===========

- CVE-2018-17480 (arbitrary code execution)

An out of bounds write has been found in the V8 component of chromium
before 71.0.3578.80.

- CVE-2018-17481 (arbitrary code execution)

A use-after-free has been found in the PDFium component of chromium
before 71.0.3578.80.

- CVE-2018-18335 (arbitrary code execution)

A heap-based buffer overflow has been found in the Skia component of
chromium before 71.0.3578.80.

- CVE-2018-18336 (arbitrary code execution)

A use-after-free has been found in the PDFium component of chromium
before 71.0.3578.80.

- CVE-2018-18337 (arbitrary code execution)

A use-after-free has been found in the Blink component of chromium
before 71.0.3578.80.

- CVE-2018-18338 (arbitrary code execution)

A heap-based buffer overflow has been found in the Canva component of
chromium before 71.0.3578.80.

- CVE-2018-18339 (arbitrary code execution)

A use-after-free has been found in the WebAudio component of chromium
before 71.0.3578.80.

- CVE-2018-18340 (arbitrary code execution)

A use-after-free has been found in the MediaRecorder component of
chromium before 71.0.3578.80.

- CVE-2018-18341 (arbitrary code execution)

A heap-based buffer overflow has been found in the Blink component of
chromium before 71.0.3578.80.

- CVE-2018-18342 (arbitrary code execution)

An out of bounds write has been found in the V8 component of chromium
before 71.0.3578.80.

- CVE-2018-18343 (arbitrary code execution)

A use-after-free has been found in the Skia component of chromium
before 71.0.3578.80.

- CVE-2018-18344 (access restriction bypass)

An inappropriate implementation issue has been found in the Extensions
component of chromium before 71.0.3578.80.

- CVE-2018-18345 (access restriction bypass)

An inappropriate implementation issue has been found in the Site
Isolation component of chromium before 71.0.3578.80.

- CVE-2018-18346 (access restriction bypass)

An incorrect security UI issue has been found in the Blink component of
chromium before 71.0.3578.80.

- CVE-2018-18347 (access restriction bypass)

An inappropriate implementation issue has been found in the Navigation
component of chromium before 71.0.3578.80.

- CVE-2018-18348 (access restriction bypass)

An inappropriate implementation issue has been found in the Omnibox
component of chromium before 71.0.3578.80.

- CVE-2018-18349 (access restriction bypass)

An insufficient policy enforcement issue has been found in the Blink
component of chromium before 71.0.3578.80.

- CVE-2018-18350 (access restriction bypass)

An insufficient policy enforcement issue has been found in the Blink
component of chromium before 71.0.3578.80.

- CVE-2018-18351 (access restriction bypass)

An insufficient policy enforcement issue has been found in the
Navigation component of chromium before 71.0.3578.80.

- CVE-2018-18352 (access restriction bypass)

An inappropriate implementation issue has been found in the Media
component of chromium before 71.0.3578.80.

- CVE-2018-18353 (access restriction bypass)

An inappropriate implementation issue has been found in the Network
Authentication component of chromium before 71.0.3578.80.

- CVE-2018-18354 (insufficient validation)

An insufficient data validation issue has been found in the Shell
Integration component of chromium before 71.0.3578.80.

- CVE-2018-18355 (access restriction bypass)

An insufficient policy enforcement issue has been found in the URL
Formatter component of chromium before 71.0.3578.80.

- CVE-2018-18356 (arbitrary code execution)

A use-after-free has been found in the Skia component of chromium
before 71.0.3578.80.

- CVE-2018-18357 (access restriction bypass)

An insufficient policy enforcement issue has been found in the URL
Formatter component of chromium before 71.0.3578.80.

- CVE-2018-18358 (access restriction bypass)

An insufficient policy enforcement issue has been found in the Proxy
component of chromium before 71.0.3578.80.

- CVE-2018-18359 (information disclosure)

An out-of-bounds read has been found in the V8 component of chromium
before 71.0.3578.80.

Impact
======

A remote attacker can access sensitive information, bypass security
restrictions and execute arbitrary code on the affected host.

References
==========

https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail?id=905940
https://bugs.chromium.org/p/chromium/issues/detail?id=901654
https://bugs.chromium.org/p/chromium/issues/detail?id=895362
https://bugs.chromium.org/p/chromium/issues/detail?id=898531
https://bugs.chromium.org/p/chromium/issues/detail?id=886753
https://bugs.chromium.org/p/chromium/issues/detail?id=890576
https://bugs.chromium.org/p/chromium/issues/detail?id=891187
https://bugs.chromium.org/p/chromium/issues/detail?id=896736
https://bugs.chromium.org/p/chromium/issues/detail?id=901030
https://bugs.chromium.org/p/chromium/issues/detail?id=906313
https://bugs.chromium.org/p/chromium/issues/detail?id=882423
https://bugs.chromium.org/p/chromium/issues/detail?id=866426
https://bugs.chromium.org/p/chromium/issues/detail?id=886976
https://bugs.chromium.org/p/chromium/issues/detail?id=606104
https://bugs.chromium.org/p/chromium/issues/detail?id=850824
https://bugs.chromium.org/p/chromium/issues/detail?id=881659
https://bugs.chromium.org/p/chromium/issues/detail?id=894399
https://bugs.chromium.org/p/chromium/issues/detail?id=799747
https://bugs.chromium.org/p/chromium/issues/detail?id=833847
https://bugs.chromium.org/p/chromium/issues/detail?id=849942
https://bugs.chromium.org/p/chromium/issues/detail?id=884179
https://bugs.chromium.org/p/chromium/issues/detail?id=889459
https://bugs.chromium.org/p/chromium/issues/detail?id=896717
https://bugs.chromium.org/p/chromium/issues/detail?id=883666
https://bugs.chromium.org/p/chromium/issues/detail?id=895207
https://bugs.chromium.org/p/chromium/issues/detail?id=899126
https://bugs.chromium.org/p/chromium/issues/detail?id=907714
https://security.archlinux.org/CVE-2018-17480
https://security.archlinux.org/CVE-2018-17481
https://security.archlinux.org/CVE-2018-18335
https://security.archlinux.org/CVE-2018-18336
https://security.archlinux.org/CVE-2018-18337
https://security.archlinux.org/CVE-2018-18338
https://security.archlinux.org/CVE-2018-18339
https://security.archlinux.org/CVE-2018-18340
https://security.archlinux.org/CVE-2018-18341
https://security.archlinux.org/CVE-2018-18342
https://security.archlinux.org/CVE-2018-18343
https://security.archlinux.org/CVE-2018-18344
https://security.archlinux.org/CVE-2018-18345
https://security.archlinux.org/CVE-2018-18346
https://security.archlinux.org/CVE-2018-18347
https://security.archlinux.org/CVE-2018-18348
https://security.archlinux.org/CVE-2018-18349
https://security.archlinux.org/CVE-2018-18350
https://security.archlinux.org/CVE-2018-18351
https://security.archlinux.org/CVE-2018-18352
https://security.archlinux.org/CVE-2018-18353
https://security.archlinux.org/CVE-2018-18354
https://security.archlinux.org/CVE-2018-18355
https://security.archlinux.org/CVE-2018-18356
https://security.archlinux.org/CVE-2018-18357
https://security.archlinux.org/CVE-2018-18358
https://security.archlinux.org/CVE-2018-18359


ASA-201812-3: wireshark-cli: multiple issues

Arch Linux Security Advisory ASA-201812-3
=========================================

Severity: Critical
Date : 2018-12-08
CVE-ID : CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625
CVE-2018-19626 CVE-2018-19627 CVE-2018-19628
Package : wireshark-cli
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-825

Summary
=======

The package wireshark-cli before version 2.6.5-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution
==========

Upgrade to 2.6.5-1.

# pacman -Syu "wireshark-cli>=2.6.5-1"

The problems have been fixed upstream in version 2.6.5.

Workaround
==========

None.

Description
===========

- CVE-2018-19622 (denial of service)

A security issue has been found in the MMSE dissector of Wireshark
versions prior to 2.6.5, which could be made to consume excessive CPU
resources by injecting a malformed packet onto the wire or by
convincing someone to read a malformed packet trace file

- CVE-2018-19623 (arbitrary code execution)

A heap-based out-of-bounds write has been found in the LBMPDM dissector
of Wireshark versions prior to 2.6.5, which could be triggered by
injecting a malformed packet onto the wire or by convincing someone to
read a malformed packet trace file

- CVE-2018-19624 (denial of service)

A NULL-pointer dereference has been found in the PVFS dissector of
Wireshark versions prior to 2.6.5, which could be triggered by
injecting a malformed packet onto the wire or by convincing someone to
read a malformed packet trace file

- CVE-2018-19625 (information disclosure)

An out-of-bounds read has been found in the dissection engine of
Wireshark versions prior to 2.6.5, which could be triggered by
injecting a malformed packet onto the wire or by convincing someone to
read a malformed packet trace file

- CVE-2018-19626 (information disclosure)

An out-of-bounds read has been found in the DCOM dissector of Wireshark
versions prior to 2.6.5, which could be triggered by injecting a
malformed packet onto the wire or by convincing someone to read a
malformed packet trace file

- CVE-2018-19627 (information disclosure)

An out-of-bounds read has been found in the IxVeriWave file parser of
Wireshark versions prior to 2.6.5, which could be triggered by
injecting a malformed packet onto the wire or by convincing someone to
read a malformed packet trace file

- CVE-2018-19628 (denial of service)

A divide-by-zero error has been found in the ZigBee ZCL dissector of
Wireshark versions prior to 2.6.5, which could be triggered by
injecting a malformed packet onto the wire or by convincing someone to
read a malformed packet trace file

Impact
======

A remote attacker can execute arbitrary code, access sensitive
information or crash wireshark via a crafted network packet or a
capture file.

References
==========

https://www.wireshark.org/docs/relnotes/wireshark-2.6.5.html
https://www.wireshark.org/security/wnpa-sec-2018-54
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15250
https://code.wireshark.org/review/#/c/30613/
https://www.wireshark.org/security/wnpa-sec-2018-53
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15132
https://code.wireshark.org/review/#/c/30346/
https://www.wireshark.org/security/wnpa-sec-2018-56
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15280
https://code.wireshark.org/review/#/c/30811/
https://www.wireshark.org/security/wnpa-sec-2018-51
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14466
https://code.wireshark.org/review/#/c/30152/
https://www.wireshark.org/security/wnpa-sec-2018-52
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15130
https://code.wireshark.org/review/#/c/30158/
https://www.wireshark.org/security/wnpa-sec-2018-55
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15279
https://code.wireshark.org/review/#/c/30813/
https://www.wireshark.org/security/wnpa-sec-2018-57
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15281
https://code.wireshark.org/review/#/c/30810/
https://security.archlinux.org/CVE-2018-19622
https://security.archlinux.org/CVE-2018-19623
https://security.archlinux.org/CVE-2018-19624
https://security.archlinux.org/CVE-2018-19625
https://security.archlinux.org/CVE-2018-19626
https://security.archlinux.org/CVE-2018-19627
https://security.archlinux.org/CVE-2018-19628


ASA-201812-4: texlive-bin: arbitrary code execution

Arch Linux Security Advisory ASA-201812-4
=========================================

Severity: High
Date : 2018-12-08
CVE-ID : CVE-2018-17407
Package : texlive-bin
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-770

Summary
=======

The package texlive-bin before version 2018.48691-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 2018.48691-1.

# pacman -Syu "texlive-bin>=2018.48691-1"

The problem has been fixed upstream in version 2018.48691.

Workaround
==========

None.

Description
===========

An issue was discovered in t1_check_unusual_charstring functions in
writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the
handling of Type 1 fonts allows arbitrary code execution when a
malicious font is loaded by one of the vulnerable tools: pdflatex,
pdftex, dvips, or luatex.

Impact
======

A local attacker can execute arbitrary code via a crafted font.

References
==========

https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c
https://github.com/TeX-Live/texlive-source/commit/f1211fe16c19af8fee54146ae116e4e5c779e8b4
https://security.archlinux.org/CVE-2018-17407


ASA-201812-5: openssl: private key recovery

Arch Linux Security Advisory ASA-201812-5
=========================================

Severity: Low
Date : 2018-12-08
CVE-ID : CVE-2018-0734 CVE-2018-0735
Package : openssl
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-792

Summary
=======

The package openssl before version 1.1.1.a-1 is vulnerable to private
key recovery.

Resolution
==========

Upgrade to 1.1.1.a-1.

# pacman -Syu "openssl>=1.1.1.a-1"

The problems have been fixed upstream in version 1.1.1.a.

Workaround
==========

None.

Description
===========

- CVE-2018-0734 (private key recovery)

A timing vulnerability has been found in DSA signature generation in
openssl versions up to and including 1.1.1, where information is leaked
via a side channel when a BN is resized and could lead to private key
recovery.

- CVE-2018-0735 (private key recovery)

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable
to a timing side channel attack in openssl versions prior to 1.1.1a. An
attacker could use variations in the signing algorithm to recover the
private key.

Impact
======

A remote attacker might be able to recover a private ECDSA or DSA key
via a timing attack.

References
==========

https://www.openssl.org/news/secadv/20181029.txt
https://www.openssl.org/news/secadv/20181030.txt
https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
https://github.com/openssl/openssl/pull/7486
https://github.com/openssl/openssl/commit/b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
https://security.archlinux.org/CVE-2018-0734
https://security.archlinux.org/CVE-2018-0735


ASA-201812-6: lib32-openssl: private key recovery

Arch Linux Security Advisory ASA-201812-6
=========================================

Severity: Low
Date : 2018-12-08
CVE-ID : CVE-2018-0734 CVE-2018-0735
Package : lib32-openssl
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-793

Summary
=======

The package lib32-openssl before version 1:1.1.1.a-1 is vulnerable to
private key recovery.

Resolution
==========

Upgrade to 1:1.1.1.a-1.

# pacman -Syu "lib32-openssl>=1:1.1.1.a-1"

The problems have been fixed upstream in version 1.1.1.a.

Workaround
==========

None.

Description
===========

- CVE-2018-0734 (private key recovery)

A timing vulnerability has been found in DSA signature generation in
openssl versions up to and including 1.1.1, where information is leaked
via a side channel when a BN is resized and could lead to private key
recovery.

- CVE-2018-0735 (private key recovery)

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable
to a timing side channel attack in openssl versions prior to 1.1.1a. An
attacker could use variations in the signing algorithm to recover the
private key.

Impact
======

A remote attacker might be able to recover a private ECDSA or DSA key
via a timing attack.

References
==========

https://www.openssl.org/news/secadv/20181029.txt
https://www.openssl.org/news/secadv/20181030.txt
https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
https://github.com/openssl/openssl/pull/7486
https://github.com/openssl/openssl/commit/b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
https://security.archlinux.org/CVE-2018-0734
https://security.archlinux.org/CVE-2018-0735


ASA-201812-7: lib32-openssl-1.0: private key recovery

Arch Linux Security Advisory ASA-201812-7
=========================================

Severity: Low
Date : 2018-12-08
CVE-ID : CVE-2018-0734 CVE-2018-5407
Package : lib32-openssl-1.0
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-806

Summary
=======

The package lib32-openssl-1.0 before version 1.0.2.q-1 is vulnerable to
private key recovery.

Resolution
==========

Upgrade to 1.0.2.q-1.

# pacman -Syu "lib32-openssl-1.0>=1.0.2.q-1"

The problems have been fixed upstream in version 1.0.2.q.

Workaround
==========

None.

Description
===========

- CVE-2018-0734 (private key recovery)

A timing vulnerability has been found in DSA signature generation in
openssl versions up to and including 1.1.1, where information is leaked
via a side channel when a BN is resized and could lead to private key
recovery.

- CVE-2018-5407 (private key recovery)

A vulnerability has been found in the ECC scalar multiplication
implementation of OpenSSL < 1.1.0i and