Arch Linux 805 Published by

Jelle van der Waa has announced the following security updates for Arch Linux:

ASA-201908-14: gettext: arbitrary code execution
ASA-201908-15: go: multiple issues
ASA-201908-16: go-pie: multiple issues
ASA-201908-17: libnghttp2: denial of service
ASA-201908-18: dovecot: arbitrary code execution
ASA-201908-19: pigeonhole: arbitrary code execution



ASA-201908-14: gettext: arbitrary code execution

Arch Linux Security Advisory ASA-201908-14
==========================================

Severity: High
Date : 2019-08-24
CVE-ID : CVE-2018-18751
Package : gettext
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-885

Summary
=======

The package gettext before version 0.20.1-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 0.20.1-1.

# pacman -Syu "gettext>=0.20.1-1"

The problem has been fixed upstream in version 0.20.1.

Workaround
==========

None.

Description
===========

An issue was discovered in GNU gettext 0.19.8. There is a double free
in default_add_message in read-catalog.c, related to an invalid free in
po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.

Impact
======

A local attacker is able to execute arbitrary code by using a specially
crafted message.

References
==========

https://github.com/CCCCCrash/POCs/tree/master/Bin/Tools-gettext-0.19.8.1/heapcorruption
https://github.com/CCCCCrash/POCs/tree/master/Bin/Tools-gettext-0.19.8.1/doublefree
https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commitdiff;h=dce3a16
https://security.archlinux.org/CVE-2018-18751


ASA-201908-15: go: multiple issues

Arch Linux Security Advisory ASA-201908-15
==========================================

Severity: Medium
Date : 2019-08-24
CVE-ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1021

Summary
=======

The package go before version 2:1.12.8-1 is vulnerable to multiple
issues including denial of service and insufficient validation.

Resolution
==========

Upgrade to 2:1.12.8-1.

# pacman -Syu "go>=2:1.12.8-1"

The problems have been fixed upstream in version 1.12.8.

Workaround
==========

None.

Description
===========

- CVE-2019-9512 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker sends continual pings to an HTTP/2 peer, causing the peer to
build an internal queue of responses. Depending on how efficiently this
data is queued, this can consume excess CPU, memory, or both,
potentially leading to a denial of service.

- CVE-2019-9514 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker opens a number of streams and sends an invalid request over
each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can
consume excess memory, CPU, or both, potentially leading to a denial of
service.

- CVE-2019-14809 (insufficient validation)

An issue has been found in Go before 1.12.8, where url.Parse would
accept URLs with malformed hosts, such that the Host field could have
arbitrary suffixes that would appear in neither Hostname() nor Port(),
allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from
url.Parse.

Impact
======

A remote attacker is able to cause a denial of service by sending a
specially crafted packet or bypass authorization due to insufficient
validation.

References
==========

https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://golang.org/issue/29098
https://security.archlinux.org/CVE-2019-9512
https://security.archlinux.org/CVE-2019-9514
https://security.archlinux.org/CVE-2019-14809


ASA-201908-16: go-pie: multiple issues

Arch Linux Security Advisory ASA-201908-16
==========================================

Severity: Medium
Date : 2019-08-24
CVE-ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809
Package : go-pie
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1020

Summary
=======

The package go-pie before version 2:1.12.8-1 is vulnerable to multiple
issues including denial of service and insufficient validation.

Resolution
==========

Upgrade to 2:1.12.8-1.

# pacman -Syu "go-pie>=2:1.12.8-1"

The problems have been fixed upstream in version 1.12.8.

Workaround
==========

None.

Description
===========

- CVE-2019-9512 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker sends continual pings to an HTTP/2 peer, causing the peer to
build an internal queue of responses. Depending on how efficiently this
data is queued, this can consume excess CPU, memory, or both,
potentially leading to a denial of service.

- CVE-2019-9514 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker opens a number of streams and sends an invalid request over
each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can
consume excess memory, CPU, or both, potentially leading to a denial of
service.

- CVE-2019-14809 (insufficient validation)

An issue has been found in Go before 1.12.8, where url.Parse would
accept URLs with malformed hosts, such that the Host field could have
arbitrary suffixes that would appear in neither Hostname() nor Port(),
allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from
url.Parse.

Impact
======

A remote attacker is able to cause a denial of service by sending a
specially crafted packet or bypass authorization due to insufficient
validation.

References
==========

https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://golang.org/issue/29098
https://security.archlinux.org/CVE-2019-9512
https://security.archlinux.org/CVE-2019-9514
https://security.archlinux.org/CVE-2019-14809


ASA-201908-17: libnghttp2: denial of service

Arch Linux Security Advisory ASA-201908-17
==========================================

Severity: Medium
Date : 2019-08-27
CVE-ID : CVE-2019-9511 CVE-2019-9513
Package : libnghttp2
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1024

Summary
=======

The package libnghttp2 before version 1.39.2-1 is vulnerable to denial
of service.

Resolution
==========

Upgrade to 1.39.2-1.

# pacman -Syu "libnghttp2>=1.39.2-1"

The problems have been fixed upstream in version 1.39.2.

Workaround
==========

None.

Description
===========

- CVE-2019-9511 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker requests a large amount of data from a specified resource over
multiple streams. They manipulate window size and stream priority to
force the server to queue the data in 1-byte chunks. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.

- CVE-2019-9513 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker creates multiple request streams and continually shuffles the
priority of the streams in a way that causes substantial churn to the
priority tree. This can consume excess CPU, potentially leading to a
denial of service.

Impact
======

A remote attacker is able to cause a denial of service by sending a
specially crafted packet.

References
==========

https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089
https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f
https://security.archlinux.org/CVE-2019-9511
https://security.archlinux.org/CVE-2019-9513


ASA-201908-18: dovecot: arbitrary code execution

Arch Linux Security Advisory ASA-201908-18
==========================================

Severity: Critical
Date : 2019-08-28
CVE-ID : CVE-2019-11500
Package : dovecot
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1026

Summary
=======

The package dovecot before version 2.3.7.2-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 2.3.7.2-1.

# pacman -Syu "dovecot>=2.3.7.2-1"

The problem has been fixed upstream in version 2.3.7.2.

Workaround
==========

None.

Description
===========

IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and
Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning
data in quoted strings, leading to out of bounds heap memory writes.

Impact
======

A remote, unauthenticated attacker can access sensitive information or
execute arbitrary code on the affected host via a crafted IMAP command.

References
==========

https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html
https://github.com/dovecot/core/commit/85fcb895ca7f0bcb8ee72047fe0e1e78532ff90b
https://github.com/dovecot/core/commit/f904cbdfec25582bc5e2a7435bf82ff769f2526a
https://github.com/dovecot/pigeonhole/commit/7ce9990a5e6ba59e89b7fe1c07f574279aed922c
https://github.com/dovecot/pigeonhole/commit/4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc
https://security.archlinux.org/CVE-2019-11500


ASA-201908-19: pigeonhole: arbitrary code execution

Arch Linux Security Advisory ASA-201908-19
==========================================

Severity: Critical
Date : 2019-08-28
CVE-ID : CVE-2019-11500
Package : pigeonhole
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1027

Summary
=======

The package pigeonhole before version 0.5.7.2-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 0.5.7.2-1.

# pacman -Syu "pigeonhole>=0.5.7.2-1"

The problem has been fixed upstream in version 0.5.7.2.

Workaround
==========

None.

Description
===========

IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and
Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning
data in quoted strings, leading to out of bounds heap memory writes.

Impact
======

A remote, unauthenticated attacker can access sensitive information or
execute arbitrary code on the affected host via a crafted ManageSieve
command.

References
==========

https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html
https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html
https://github.com/dovecot/core/commit/85fcb895ca7f0bcb8ee72047fe0e1e78532ff90b
https://github.com/dovecot/core/commit/f904cbdfec25582bc5e2a7435bf82ff769f2526a
https://github.com/dovecot/pigeonhole/commit/7ce9990a5e6ba59e89b7fe1c07f574279aed922c
https://github.com/dovecot/pigeonhole/commit/4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc
https://security.archlinux.org/CVE-2019-11500