Arch Linux 805 Published by

The following updates has been released for Arch Linux:

ASA-201905-11: libcurl-compat: arbitrary code execution
ASA-201905-12: libcurl-gnutls: arbitrary code execution
ASA-201905-13: lib32-libcurl-gnutls: arbitrary code execution
ASA-201905-14: lib32-libcurl-compat: arbitrary code execution
ASA-201905-15: lib32-curl: arbitrary code execution
ASA-201905-16: curl: arbitrary code execution
ASA-201905-17: live-media: multiple issues



ASA-201905-11: libcurl-compat: arbitrary code execution


Arch Linux Security Advisory ASA-201905-11
==========================================

Severity: High
Date : 2019-05-31
CVE-ID : CVE-2019-5436
Package : libcurl-compat
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-959

Summary
=======

The package libcurl-compat before version 7.65.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.65.0-1.

# pacman -Syu "libcurl-compat>=7.65.0-1"

The problem has been fixed upstream in version 7.65.0.

Workaround
==========

None.

Description
===========

libcurl before 7.65.0 contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It calls
recvfrom() with the default size for the buffer rather than with the
size that was used to allocate it. Thus, the content that might
overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger the
possible overflow becomes. Users choosing a smaller size than default
should be rare as the primary use case for changing the size is to make
it larger.

Impact
======

A malicious TFTP server can execute arbitrary code on the affected
host.

References
==========

https://curl.haxx.se/docs/CVE-2019-5436.html
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
https://security.archlinux.org/CVE-2019-5436

ASA-201905-12: libcurl-gnutls: arbitrary code execution


Arch Linux Security Advisory ASA-201905-12
==========================================

Severity: High
Date : 2019-05-31
CVE-ID : CVE-2019-5436
Package : libcurl-gnutls
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-960

Summary
=======

The package libcurl-gnutls before version 7.65.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.65.0-1.

# pacman -Syu "libcurl-gnutls>=7.65.0-1"

The problem has been fixed upstream in version 7.65.0.

Workaround
==========

None.

Description
===========

libcurl before 7.65.0 contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It calls
recvfrom() with the default size for the buffer rather than with the
size that was used to allocate it. Thus, the content that might
overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger the
possible overflow becomes. Users choosing a smaller size than default
should be rare as the primary use case for changing the size is to make
it larger.

Impact
======

A malicious TFTP server can execute arbitrary code on the affected
host.

References
==========

https://curl.haxx.se/docs/CVE-2019-5436.html
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
https://security.archlinux.org/CVE-2019-5436

ASA-201905-13: lib32-libcurl-gnutls: arbitrary code execution


Arch Linux Security Advisory ASA-201905-13
==========================================

Severity: High
Date : 2019-05-31
CVE-ID : CVE-2019-5435 CVE-2019-5436
Package : lib32-libcurl-gnutls
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-961

Summary
=======

The package lib32-libcurl-gnutls before version 7.65.0-1 is vulnerable
to arbitrary code execution.

Resolution
==========

Upgrade to 7.65.0-1.

# pacman -Syu "lib32-libcurl-gnutls>=7.65.0-1"

The problems have been fixed upstream in version 7.65.0.

Workaround
==========

None.

Description
===========

- CVE-2019-5435 (arbitrary code execution)

libcurl before 7.65.0 contains two integer overflows in the
curl_url_set() function that if triggered, can lead to a too small
buffer allocation and a subsequent heap buffer overflow. The flaws only
exist on 32 bit architectures and require excessive string input
lengths.

- CVE-2019-5436 (arbitrary code execution)

libcurl before 7.65.0 contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It calls
recvfrom() with the default size for the buffer rather than with the
size that was used to allocate it. Thus, the content that might
overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger the
possible overflow becomes. Users choosing a smaller size than default
should be rare as the primary use case for changing the size is to make
it larger.

Impact
======

A malicious TFTP server can execute arbitrary code on the affected
host. A remote attacker can execute arbitrary code on the affected host
via a crafted URL part of excessive length.

References
==========

https://curl.haxx.se/docs/CVE-2019-5435.html
https://curl.haxx.se/docs/CVE-2019-5436.html
https://github.com/curl/curl/commit/5fc28510a4664f4
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
https://security.archlinux.org/CVE-2019-5435
https://security.archlinux.org/CVE-2019-5436

ASA-201905-14: lib32-libcurl-compat: arbitrary code execution


Arch Linux Security Advisory ASA-201905-14
==========================================

Severity: High
Date : 2019-05-31
CVE-ID : CVE-2019-5435 CVE-2019-5436
Package : lib32-libcurl-compat
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-962

Summary
=======

The package lib32-libcurl-compat before version 7.65.0-1 is vulnerable
to arbitrary code execution.

Resolution
==========

Upgrade to 7.65.0-1.

# pacman -Syu "lib32-libcurl-compat>=7.65.0-1"

The problems have been fixed upstream in version 7.65.0.

Workaround
==========

None.

Description
===========

- CVE-2019-5435 (arbitrary code execution)

libcurl before 7.65.0 contains two integer overflows in the
curl_url_set() function that if triggered, can lead to a too small
buffer allocation and a subsequent heap buffer overflow. The flaws only
exist on 32 bit architectures and require excessive string input
lengths.

- CVE-2019-5436 (arbitrary code execution)

libcurl before 7.65.0 contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It calls
recvfrom() with the default size for the buffer rather than with the
size that was used to allocate it. Thus, the content that might
overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger the
possible overflow becomes. Users choosing a smaller size than default
should be rare as the primary use case for changing the size is to make
it larger.

Impact
======

A malicious TFTP server can execute arbitrary code on the affected
host. A remote attacker can execute arbitrary code on the affected host
via a crafted URL part of excessive length.

References
==========

https://curl.haxx.se/docs/CVE-2019-5435.html
https://curl.haxx.se/docs/CVE-2019-5436.html
https://github.com/curl/curl/commit/5fc28510a4664f4
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
https://security.archlinux.org/CVE-2019-5435
https://security.archlinux.org/CVE-2019-5436

ASA-201905-15: lib32-curl: arbitrary code execution


Arch Linux Security Advisory ASA-201905-15
==========================================

Severity: High
Date : 2019-05-31
CVE-ID : CVE-2019-5435 CVE-2019-5436
Package : lib32-curl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-963

Summary
=======

The package lib32-curl before version 7.65.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.65.0-1.

# pacman -Syu "lib32-curl>=7.65.0-1"

The problems have been fixed upstream in version 7.65.0.

Workaround
==========

None.

Description
===========

- CVE-2019-5435 (arbitrary code execution)

libcurl before 7.65.0 contains two integer overflows in the
curl_url_set() function that if triggered, can lead to a too small
buffer allocation and a subsequent heap buffer overflow. The flaws only
exist on 32 bit architectures and require excessive string input
lengths.

- CVE-2019-5436 (arbitrary code execution)

libcurl before 7.65.0 contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It calls
recvfrom() with the default size for the buffer rather than with the
size that was used to allocate it. Thus, the content that might
overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger the
possible overflow becomes. Users choosing a smaller size than default
should be rare as the primary use case for changing the size is to make
it larger.

Impact
======

A malicious TFTP server can execute arbitrary code on the affected
host. A remote attacker can execute arbitrary code on the affected host
via a crafted URL part of excessive length.

References
==========

https://curl.haxx.se/docs/CVE-2019-5435.html
https://curl.haxx.se/docs/CVE-2019-5436.html
https://github.com/curl/curl/commit/5fc28510a4664f4
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
https://security.archlinux.org/CVE-2019-5435
https://security.archlinux.org/CVE-2019-5436

ASA-201905-16: curl: arbitrary code execution


Arch Linux Security Advisory ASA-201905-16
==========================================

Severity: High
Date : 2019-05-31
CVE-ID : CVE-2019-5436
Package : curl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-964

Summary
=======

The package curl before version 7.65.0-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 7.65.0-1.

# pacman -Syu "curl>=7.65.0-1"

The problem has been fixed upstream in version 7.65.0.

Workaround
==========

None.

Description
===========

libcurl before 7.65.0 contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It calls
recvfrom() with the default size for the buffer rather than with the
size that was used to allocate it. Thus, the content that might
overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger the
possible overflow becomes. Users choosing a smaller size than default
should be rare as the primary use case for changing the size is to make
it larger.

Impact
======

A malicious TFTP server can execute arbitrary code on the affected
host.

References
==========

https://curl.haxx.se/docs/CVE-2019-5436.html
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
https://security.archlinux.org/CVE-2019-5436

ASA-201905-17: live-media: multiple issues


Arch Linux Security Advisory ASA-201905-17
==========================================

Severity: Critical
Date : 2019-05-31
CVE-ID : CVE-2019-7314 CVE-2019-7733
Package : live-media
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-870

Summary
=======

The package live-media before version 2019.05.12-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution
==========

Upgrade to 2019.05.12-1.

# pacman -Syu "live-media>=2019.05.12-1"

The problems have been fixed upstream in version 2019.05.12.

Workaround
==========

None.

Description
===========

- CVE-2019-7314 (arbitrary code execution)

liblivemedia in Live555 before 2019.02.03 mishandles the termination of
an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could
lead to a use-after-free error that causes the RTSP server to crash
(Segmentation fault) or possibly have unspecified other impact.

- CVE-2019-7733 (denial of service)

In Live555 0.95, a setup packet can cause a memory leak leading to DoS
because, when there are multiple instances of a single field (username,
realm, nonce, uri, or response), only the last instance can ever be
freed.

Impact
======

A remote attacker can cause a crash or execute arbitrary code on the
affected host via a crafted stream packet.

References
==========

http://lists.live555.com/pipermail/live-devel/2019-February/021143.html
http://www.live555.com/liveMedia/public/changelog.txt
https://github.com/rgaufman/live555/issues/21
https://security.archlinux.org/CVE-2019-7314
https://security.archlinux.org/CVE-2019-7733