Arch Linux 805 Published by

The following updates has been released for Arch Linux:

ASA-201905-1: munin: arbitrary file overwrite
ASA-201905-2: linux: arbitrary code execution
ASA-201905-3: nautilus: sandbox escape
ASA-201905-4: linux-zen: arbitrary code execution
ASA-201905-5: tcpreplay: multiple issues
ASA-201905-6: dovecot: denial of service
ASA-201905-7: perl-email-address: denial of service



ASA-201905-1: munin: arbitrary file overwrite

Arch Linux Security Advisory ASA-201905-1
=========================================

Severity: High
Date : 2019-05-06
CVE-ID : CVE-2017-6188
Package : munin
Type : arbitrary file overwrite
Remote : Yes
Link : https://security.archlinux.org/AVG-953

Summary
=======

The package munin before version 2.0.47-1 is vulnerable to arbitrary
file overwrite.

Resolution
==========

Upgrade to 2.0.47-1.

# pacman -Syu "munin>=2.0.47-1"

The problem has been fixed upstream in version 2.0.47.

Workaround
==========

None.

Description
===========

A vulnerability in munin allows attackers to overwrite any file
accessible to the webserver user by setting multiple upper_limit GET
parameters when CGI graphs are enabled.

Impact
======

A remote attacker is able to overwrite arbitrary files on the
filesystem.

References
==========

https://bugs.archlinux.org/task/57537
https://www.debian.org/security/2017/dsa-3794
https://github.com/munin-monitoring/munin/pull/797/commits/42ce18f24d3eae8be33526a198bf21e4f2330230
https://security.archlinux.org/CVE-2017-6188


ASA-201905-2: linux: arbitrary code execution

Arch Linux Security Advisory ASA-201905-2
=========================================

Severity: High
Date : 2019-05-06
CVE-ID : CVE-2019-11683
Package : linux
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-955

Summary
=======

The package linux before version 5.0.12.arch2-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 5.0.12.arch2-1.

# pacman -Syu "linux>=5.0.12.arch2-1"

The problem has been fixed upstream in version 5.0.12.arch2.

Workaround
==========

None.

Description
===========

udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel
5.x through 5.0.11 allows remote attackers to cause a denial of service
(slab-out-of-bounds memory corruption) or possibly have unspecified
other impact via UDP packets with a 0 payload, because of mishandling
of padded packets, aka the "GRO packet of death" issue.

Impact
======

A remote attacker is able to cause a denial of service possibly leading
to remote code execution by sending UDP packets with a special payload.

References
==========

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=4dd2b82d5adfbe0b1587ccad7a8f76d826120f37
http://www.securityfocus.com/bid/108142
http://www.openwall.com/lists/oss-security/2019/05/05/4
http://www.openwall.com/lists/oss-security/2019/05/02/1
https://security.archlinux.org/CVE-2019-11683


ASA-201905-3: nautilus: sandbox escape

Arch Linux Security Advisory ASA-201905-3
=========================================

Severity: High
Date : 2019-05-06
CVE-ID : CVE-2019-11461
Package : nautilus
Type : sandbox escape
Remote : No
Link : https://security.archlinux.org/AVG-956

Summary
=======

The package nautilus before version 3.32.1-1 is vulnerable to sandbox
escape.

Resolution
==========

Upgrade to 3.32.1-1.

# pacman -Syu "nautilus>=3.32.1-1"

The problem has been fixed upstream in version 3.32.1.

Workaround
==========

None.

Description
===========

An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32
prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap
sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push
characters into the input buffer of the thumbnailer's controlling
terminal, allowing an attacker to escape the sandbox if the thumbnailer
has a controlling terminal. This is due to improper filtering of the
TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.

Impact
======

A local attacker is able to escape the sandbox.

References
==========

https://gitlab.gnome.org/GNOME/nautilus/issues/987
https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659
https://security.archlinux.org/CVE-2019-11461


ASA-201905-4: linux-zen: arbitrary code execution

Arch Linux Security Advisory ASA-201905-4
=========================================

Severity: High
Date : 2019-05-06
CVE-ID : CVE-2019-11683
Package : linux-zen
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-957

Summary
=======

The package linux-zen before version 5.0.12.zen2-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 5.0.12.zen2-1.

# pacman -Syu "linux-zen>=5.0.12.zen2-1"

The problem has been fixed upstream in version 5.0.12.zen2.

Workaround
==========

None.

Description
===========

udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel
5.x through 5.0.11 allows remote attackers to cause a denial of service
(slab-out-of-bounds memory corruption) or possibly have unspecified
other impact via UDP packets with a 0 payload, because of mishandling
of padded packets, aka the "GRO packet of death" issue.

Impact
======

A remote attacker is able to cause a denial of service possibly leading
to remote code execution by sending UDP packets with a special payload.

References
==========

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=4dd2b82d5adfbe0b1587ccad7a8f76d826120f37
http://www.securityfocus.com/bid/108142
http://www.openwall.com/lists/oss-security/2019/05/05/4
http://www.openwall.com/lists/oss-security/2019/05/02/1
https://security.archlinux.org/CVE-2019-11683


ASA-201905-5: tcpreplay: multiple issues

Arch Linux Security Advisory ASA-201905-5
=========================================

Severity: High
Date : 2019-05-06
CVE-ID : CVE-2019-8376 CVE-2019-8377 CVE-2019-8381
Package : tcpreplay
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-902

Summary
=======

The package tcpreplay before version 4.3.2-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
==========

Upgrade to 4.3.2-1.

# pacman -Syu "tcpreplay>=4.3.2-1"

The problems have been fixed upstream in version 4.3.2.

Workaround
==========

None.

Description
===========

- CVE-2019-8376 (denial of service)

An issue was discovered in tcpreplay 4.3.1. A NULL pointer dereference
occurred in the function get_layer4_v6() located at get.c. This can be
triggered by sending a crafted pcap file to the tcpreplay-edit binary.
It allows an attacker to cause a Denial of Service (Segmentation fault)
or possibly have unspecified other impact.

- CVE-2019-8377 (denial of service)

An issue was discovered in tcpreplay 4.3.1. A NULL pointer dereference
occurred in the function get_ipv6_l4proto() located at get.c. This can
be triggered by sending a crafted pcap file to the tcpreplay-edit
binary. It allows an attacker to cause a Denial of Service
(Segmentation fault) or possibly have unspecified other impact.

- CVE-2019-8381 (arbitrary code execution)

An issue was discovered in tcpreplay 4.3.1. An invalid memory access
occurs in do_checksum in checksum.c. It can be triggered by sending a
crafted pcap file to the tcpreplay-edit binary. It allows an attacker
to cause a Denial of Service (Segmentation fault) or possibly have
unspecified other impact.

Impact
======

A remote attacker is able to cause a denial of service, or execute
arbitrary code, with a specially crafted pcap file.

References
==========

https://github.com/appneta/tcpreplay/issues/537
https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-function-get_layer4_v6-tcpreplay-4-3-1/
https://github.com/appneta/tcpreplay/issues/536
https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-function-get_ipv6_l4proto-tcpreplay-4-3-1/
https://research.loginsoft.com/bugs/invalid-memory-access-vulnerability-in-function-do_checksum-tcpreplay-4-3-1/
https://github.com/appneta/tcpreplay/issues/538
https://github.com/appneta/tcpreplay/pull/548/commits/dae97cbafc5c06ebbc6b34e76ba614104f1b73e1
https://security.archlinux.org/CVE-2019-8376
https://security.archlinux.org/CVE-2019-8377
https://security.archlinux.org/CVE-2019-8381


ASA-201905-6: dovecot: denial of service

Arch Linux Security Advisory ASA-201905-6
=========================================

Severity: Medium
Date : 2019-05-06
CVE-ID : CVE-2019-11494 CVE-2019-11499
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-954

Summary
=======

The package dovecot before version 2.3.6-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 2.3.6-1.

# pacman -Syu "dovecot>=2.3.6-1"

The problems have been fixed upstream in version 2.3.6.

Workaround
==========

None.

Description
===========

- CVE-2019-11494 (denial of service)

Submission-login crashes with signal 11 due to null pointer access when
authentication is aborted by disconnecting. This can lead to denial-of
service attack by persistent attacker(s).

- CVE-2019-11499 (denial of service)

Submission-login crashes when authentication is started over TLS
secured channel and invalid authentication message is sent. This can
lead to denial-of-service attack by persistent attacker(s).

Impact
======

A remote attacker is able to cause a denial of service by sending
invalid authentication messages or aborting the authentication process.

References
==========

https://dovecot.org/doc/NEWS-2.3
https://www.mail-archive.com/fulldisclosure@seclists.org/msg06126.html
https://dovecot.org/pipermail/dovecot/2019-April/115757.html
https://dovecot.org/pipermail/dovecot/2019-April/115758.html
https://security.archlinux.org/CVE-2019-11494
https://security.archlinux.org/CVE-2019-11499


ASA-201905-7: perl-email-address: denial of service

Arch Linux Security Advisory ASA-201905-7
=========================================

Severity: Low
Date : 2019-05-06
CVE-ID : CVE-2018-12558
Package : perl-email-address
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-722

Summary
=======

The package perl-email-address before version 1.912-1 is vulnerable to
denial of service.

Resolution
==========

Upgrade to 1.912-1.

# pacman -Syu "perl-email-address>=1.912-1"

The problem has been fixed upstream in version 1.912.

Workaround
==========

None.

Description
===========

perl-email-address 1.909 is vulnerable to Algorithm Complexity problem
and can cause Denial of Service when attacker prepares specially
crafted input.

Impact
======

A remote attacker can cause a denial of service via specially crafted
input.

References
==========

https://github.com/Perl-Email-Project/Email-Address/issues/19
http://www.openwall.com/lists/oss-security/2018/06/19/3
https://security.archlinux.org/CVE-2018-12558