Arch Linux 805 Published by

Levente Polyak has announced the following security updates for Arch Linux:

ASA-201910-1: exim: arbitrary code execution
ASA-201910-2: ruby: multiple issues
ASA-201910-3: systemd: access restriction bypass
ASA-201910-4: ruby-rdoc: cross-site scripting
ASA-201910-5: ruby2.5: multiple issues



ASA-201910-1: exim: arbitrary code execution

Arch Linux Security Advisory ASA-201910-1
=========================================

Severity: Critical
Date : 2019-10-02
CVE-ID : CVE-2019-16928
Package : exim
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1038

Summary
=======

The package exim before version 4.92.3-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 4.92.3-1.

# pacman -Syu "exim>=4.92.3-1"

The problem has been fixed upstream in version 4.92.3.

Workaround
==========

None.

Description
===========

It has been discovered that Exim before 4.92.3 is vulnerable to a heap-
based buffer overflow in string_vformat (string.c) involving a long
EHLO command leading to remote code execution.

Impact
======

A remote attacker is able to execute arbitrary code on the affected
host by sending a specifically crafted long EHLO command.

References
==========

https://www.exim.org/static/doc/security/CVE-2019-16928.txt
https://bugs.exim.org/show_bug.cgi?id=2449
https://git.exim.org/exim.git/commitdiff/478effbfd9c3cc5a627fc671d4bf94d13670d65f
https://www.openwall.com/lists/oss-security/2019/09/28/1
https://security.archlinux.org/CVE-2019-16928

ASA-201910-2: ruby: multiple issues

Arch Linux Security Advisory ASA-201910-2
=========================================

Severity: Medium
Date : 2019-10-02
CVE-ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255
Package : ruby
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1039

Summary
=======

The package ruby before version 2.6.5-1 is vulnerable to multiple
issues including arbitrary code execution, content spoofing, denial of
service and insufficient validation.

Resolution
==========

Upgrade to 2.6.5-1.

# pacman -Syu "ruby>=2.6.5-1"

The problems have been fixed upstream in version 2.6.5.

Workaround
==========

None.

Description
===========

- CVE-2019-15845 (insufficient validation)

It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
vulnerable to NUL injection in built-in methods (File.fnmatch and
File.fnmatch?). An attacker who has the control of the path pattern
parameter could exploit this vulnerability to make path matching pass
despite the intention of the program author.
The Built-in methods File.fnmatch and its alias File.fnmatch? accept
the path pattern as their first parameter. When the pattern contains
NUL character (\0), the methods recognize that the path pattern ends
immediately before the NUL byte. Therefore, a script that uses an
external input as the pattern argument, an attacker can make it wrongly
match a pathname that is the second parameter.

- CVE-2019-16201 (denial of service)

It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
vulnerable to denial of service via regular expressions in WEBrick's
Digest access authentication module. An attacker can exploit this
vulnerability to cause an effective denial of service against a WEBrick
service.

- CVE-2019-16254 (content spoofing)

It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
vulnerable to HTTP response splitting in WEBrick bundled with Ruby. If
a program using WEBrick inserts untrusted input into the response
header, an attacker can exploit it to insert a newline character to
split a header, and inject malicious content to deceive clients.
This is the same issue as CVE-2017-17742. The previous fix was
incomplete, which addressed the CRLF vector, but did not address an
isolated CR or an isolated LF.

- CVE-2019-16255 (arbitrary code execution)

It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is
vulnerable to code injection. Shell#[] and its alias Shell#test defined
in lib/shell.rb allow code injection if the first argument (aka the
“command” argument) is untrusted data. An attacker can exploit this to
call an arbitrary Ruby method.

Impact
======

A remote attacker is able to bypass path restrictions, perform a denial
of service attack, inject malicious content or call an arbitrary Ruby
method under certain circumstances.

References
==========

https://bugs.archlinux.org/task/63977
https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
https://security.archlinux.org/CVE-2019-15845
https://security.archlinux.org/CVE-2019-16201
https://security.archlinux.org/CVE-2019-16254
https://security.archlinux.org/CVE-2019-16255

ASA-201910-3: systemd: access restriction bypass

Arch Linux Security Advisory ASA-201910-3
=========================================

Severity: Medium
Date : 2019-10-02
CVE-ID : CVE-2019-15718
Package : systemd
Type : access restriction bypass
Remote : No
Link : https://security.archlinux.org/AVG-1035

Summary
=======

The package systemd before version 243.0-1 is vulnerable to access
restriction bypass.

Resolution
==========

Upgrade to 243.0-1.

# pacman -Syu "systemd>=243.0-1"

The problem has been fixed upstream in version 243.0.

Workaround
==========

None.

Description
===========

An improper authorization flaw was discovered in systemd-resolved
before v234 in the way it configures the exposed DBus interface
org.freedesktop.resolve1. An unprivileged local attacker could call all
DBus methods, even when marked as privileged operations. An attacker
could abuse this flaw by changing the DNS, Search Domain, LLMNR, DNSSEC
and other network link settings without any authorization, allowing
control of the network names resolution process and cause the system to
communicate with wrong or malicious servers. Those operations should be
performed only by an high-privileged user.

Impact
======

A local unprivileged attacker is able to change the DNS, Search Domain,
LLMNR, DNSSEC and other network link settings without any
authorization, allowing control of the network names resolution process
and cause the system to communicate with wrong or malicious servers.

References
==========

https://www.openwall.com/lists/oss-security/2019/09/03/1
https://bugzilla.redhat.com/show_bug.cgi?id=1746057
https://github.com/systemd/systemd/commit/d93d10c3d101a73fe70d24154fd744a48371f002
https://github.com/systemd/systemd/pull/13457
https://security.archlinux.org/CVE-2019-15718

ASA-201910-4: ruby-rdoc: cross-site scripting

Arch Linux Security Advisory ASA-201910-4
=========================================

Severity: Medium
Date : 2019-10-02
CVE-ID : CVE-2012-6708 CVE-2015-9251
Package : ruby-rdoc
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-1041

Summary
=======

The package ruby-rdoc before version 6.1.2-1 is vulnerable to cross-
site scripting.

Resolution
==========

Upgrade to 6.1.2-1.

# pacman -Syu "ruby-rdoc>=6.1.2-1"

The problems have been fixed upstream in version 6.1.2.

Workaround
==========

None.

Description
===========

- CVE-2012-6708 (cross-site scripting)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS)
attacks. The jQuery(strInput) function does not differentiate selectors
from HTML in a reliable fashion. In vulnerable versions, jQuery
determined whether the input was HTML by looking for the '

ASA-201910-5: ruby2.5: multiple issues

Arch Linux Security Advisory ASA-201910-5
=========================================

Severity: Medium
Date : 2019-10-02
CVE-ID : CVE-2012-6708 CVE-2015-9251 CVE-2019-15845 CVE-2019-16201
CVE-2019-16254 CVE-2019-16255
Package : ruby2.5
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1040

Summary
=======

The package ruby2.5 before version 2.5.7-1 is vulnerable to multiple
issues including arbitrary code execution, content spoofing, cross-site
scripting, denial of service and insufficient validation.

Resolution
==========

Upgrade to 2.5.7-1.

# pacman -Syu "ruby2.5>=2.5.7-1"

The problems have been fixed upstream in version 2.5.7.

Workaround
==========

None.

Description
===========

- CVE-2012-6708 (cross-site scripting)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS)
attacks. The jQuery(strInput) function does not differentiate selectors
from HTML in a reliable fashion. In vulnerable versions, jQuery
determined whether the input was HTML by looking for the '