Arch Linux 811 Published by

The following security updates are available for Arch Linux:

ASA-201906-4: chromium: multiple issues
ASA-201906-5: pam-u2f: information disclosure



ASA-201906-4: chromium: multiple issues


Arch Linux Security Advisory ASA-201906-4
=========================================

Severity: Critical
Date : 2019-06-07
CVE-ID : CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831
CVE-2019-5832 CVE-2019-5833 CVE-2019-5835 CVE-2019-5836
CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-972

Summary
=======

The package chromium before version 75.0.3770.80-1 is vulnerable to
multiple issues including arbitrary code execution, access restriction
bypass, content spoofing, incorrect calculation and information
disclosure.

Resolution
==========

Upgrade to 75.0.3770.80-1.

# pacman -Syu "chromium>=75.0.3770.80-1"

The problems have been fixed upstream in version 75.0.3770.80.

Workaround
==========

None.

Description
===========

- CVE-2019-5828 (arbitrary code execution)

A use-after-free vulnerability has been found in the ServiceWorker
component of the chromium browser before 75.0.3770.80.

- CVE-2019-5829 (arbitrary code execution)

A use-after-free vulnerability has been found in the Download Manager
component of the chromium browser before 75.0.3770.80.

- CVE-2019-5830 (access restriction bypass)

An incorrectly credentialed requests vulnerability has been found in
the CORS component of the chromium browser before 75.0.3770.80.

- CVE-2019-5831 (incorrect calculation)

An incorrect map processing vulnerability has been found in the V8
component of the chromium browser before 75.0.3770.80.

- CVE-2019-5832 (access restriction bypass)

An incorrect CORS handling vulnerability has been found in the XHR
component of the chromium browser before 75.0.3770.80.

- CVE-2019-5833 (content spoofing)

An inconsistent security UI placement vulnerability has been found in
the chromium browser before 75.0.3770.80.

- CVE-2019-5835 (information disclosure)

An out-of-bounds read vulnerability has been found in the Swiftshader
component of the chromium browser before 75.0.3770.80.

- CVE-2019-5836 (arbitrary code execution)

A heap-based buffer overflow vulnerability has been found in the Angle
component of the chromium browser before 75.0.3770.80.

- CVE-2019-5837 (information disclosure)

A cross-origin resources size disclosure vulnerability has been found
in the Appcache component of the chromium browser before 75.0.3770.80.

- CVE-2019-5838 (access restriction bypass)

An overly permissive tab access vulnerability has been found in the
Extensions component of the chromium browser before 75.0.3770.80.

- CVE-2019-5839 (access restriction bypass)

An incorrect handling of certain code points vulnerability has been
found in the Blink component of the chromium browser before
75.0.3770.80.

- CVE-2019-5840 (access restriction bypass)

A popup blocker bypass vulnerability has been found in the chromium
browser before 75.0.3770.80.

Impact
======

A remote attacker can access sensitive information, bypass security
measures, spoof content and execute arbitrary code on the affected
host.

References
==========

https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.html
https://crbug.com/956597
https://crbug.com/958533
https://crbug.com/665766
https://crbug.com/950328
https://crbug.com/959390
https://crbug.com/945067
https://crbug.com/939239
https://crbug.com/947342
https://crbug.com/918293
https://crbug.com/893087
https://crbug.com/925614
https://crbug.com/951782
https://security.archlinux.org/CVE-2019-5828
https://security.archlinux.org/CVE-2019-5829
https://security.archlinux.org/CVE-2019-5830
https://security.archlinux.org/CVE-2019-5831
https://security.archlinux.org/CVE-2019-5832
https://security.archlinux.org/CVE-2019-5833
https://security.archlinux.org/CVE-2019-5835
https://security.archlinux.org/CVE-2019-5836
https://security.archlinux.org/CVE-2019-5837
https://security.archlinux.org/CVE-2019-5838
https://security.archlinux.org/CVE-2019-5839
https://security.archlinux.org/CVE-2019-5840


ASA-201906-5: pam-u2f: information disclosure


Arch Linux Security Advisory ASA-201906-5
=========================================

Severity: Medium
Date : 2019-06-07
CVE-ID : CVE-2019-12209 CVE-2019-12210
Package : pam-u2f
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-973

Summary
=======

The package pam-u2f before version 1.0.8-2 is vulnerable to information
disclosure.

Resolution
==========

Upgrade to 1.0.8-2.

# pacman -Syu "pam-u2f>=1.0.8-2"

The problems have been fixed upstream in version 1.0.8.

Workaround
==========

A major mitigation for both issues is to remove the `debug` and
`debug_file` options for `pam_u2f.so` in the PAM configuration.
Furthermore enabling the `openasuser` option will mitigate the symlink
attack in CVE-2019-12209.

Description
===========

- CVE-2019-12209 (information disclosure)

A symbolic link attack has been found in pam-u2f before 1.8.0. The file
`$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module.
It can be a symlink pointing to an arbitrary file. The PAM module only
rejects non-regular files and files owned by other users than root or
the to-be-authenticated user. Even these checks are only made after
open()'ing the file, which may already trigger certain logic in the
kernel that is otherwise not reachable to regular users.

If the PAM modules' `debug` option is also enabled then most of the
content of the file is written either to stdout, stderr, syslog or to
the defined debug file. Therefore this can pose an information leak to
access e.g. the contents of /etc/shadow, /root/.bash_history or
similar sensitive files. Furthermore the symlink attack can be used to
use other
users' u2f_keys files in the authentication process.

- CVE-2019-12210 (information disclosure)

A file descriptor leak has been found in pam-u2f before 1.8.0. If the
`debug` and `debug_file` options are set then the opened debug file
will be inherited to the successfully authenticated user's process.
Therefore this user can write further information to it, possibly
filling up a privileged file system or manipulating the information
found in the debug file.
This can leak sensitive information and also, if written to, be used to
fill the disk or plant misinformation.

Impact
======

An authenticated user can access sensitive information via a crafted
symlink or a leaked file descriptor.

References
==========

https://seclists.org/oss-sec/2019/q2/149
https://bugzilla.suse.com/show_bug.cgi?id=1087061
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
https://security.archlinux.org/CVE-2019-12209
https://security.archlinux.org/CVE-2019-12210