Arch Linux 805 Published by

The following updates has been released for Arch Linux:

ASA-201806-8: gnupg: content spoofing
The package gnupg before version 2.2.8-1 is vulnerable to content spoofing.

ASA-201806-9: chromium: arbitrary code execution
The package chromium before version 67.0.3396.87-1 is vulnerable to arbitrary code execution.



ASA-201806-8: gnupg: content spoofing


Arch Linux Security Advisory ASA-201806-8
=========================================

Severity: High
Date : 2018-06-11
CVE-ID : CVE-2018-12020
Package : gnupg
Type : content spoofing
Remote : Yes
Link : https://security.archlinux.org/AVG-713

Summary
=======

The package gnupg before version 2.2.8-1 is vulnerable to content
spoofing.

Resolution
==========

Upgrade to 2.2.8-1.

# pacman -Syu "gnupg>=2.2.8-1"

The problem has been fixed upstream in version 2.2.8.

Workaround
==========

None.

Description
===========

A security issue has been found in gnupg before 2.2.8, leading to the
possibility of faking verification status of signed content. The
OpenPGP protocol allows to include the file name of the original input
file into a signed or encrypted message. During decryption and
verification the GPG tool can display a notice with that file name. The
displayed file name is not sanitized and as such may include line feeds
or other control characters. This can be used inject terminal control
sequences into the out and, worse, to fake the so-called status
messages. These status messages are parsed by programs to get
information from gpg about the validity of a signature and an other
parameters. Status messages are created with the option "--status-fd N"
where N is a file descriptor. Now if N is 2 the status messages and the
regular diagnostic messages share the stderr output channel. By using a
made up file name in the message it is possible to fake status
messages. Using this technique it is for example possible to fake the
verification status of a signed mail.

Impact
======

A remote attacker might be able to fake the verification status of a
signed e-mail or file, via a crafted file name.

References
==========

https://bugs.archlinux.org/task/58931
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
https://dev.gnupg.org/T4012
https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49
https://security.archlinux.org/CVE-2018-12020

ASA-201806-9: chromium: arbitrary code execution


Arch Linux Security Advisory ASA-201806-9
=========================================

Severity: High
Date : 2018-06-13
CVE-ID : CVE-2018-6149
Package : chromium
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-717

Summary
=======

The package chromium before version 67.0.3396.87-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 67.0.3396.87-1.

# pacman -Syu "chromium>=67.0.3396.87-1"

The problem has been fixed upstream in version 67.0.3396.87.

Workaround
==========

None.

Description
===========

An out of bounds write has been found in the V8 component of the
chromium browser before 67.0.3396.87.

Impact
======

A remote attacker can execute arbitrary code on the affected host via a
website containing specially crafted Javascript code.

References
==========

https://chromereleases.googleblog.com/2018/06/stable-channel-update-for-desktop_12.html
https://crbug.com/848672
https://security.archlinux.org/CVE-2018-6149