Arch Linux 802 Published by

The following security updates are available for Arch Linux:

ASA-201902-10: libcurl-gnutls: arbitrary code execution
ASA-201902-11: lib32-libcurl-gnutls: arbitrary code execution
ASA-201902-12: lib32-libcurl-compat: arbitrary code execution
ASA-201902-13: lib32-curl: arbitrary code execution
ASA-201902-14: python-django: denial of service
ASA-201902-15: python2-django: denial of service
ASA-201902-5: rdesktop: multiple issues
ASA-201902-6: runc: privilege escalation
ASA-201902-7: libu2f-host: arbitrary code execution
ASA-201902-8: aubio: denial of service
ASA-201902-9: curl: arbitrary code execution



ASA-201902-10: libcurl-gnutls: arbitrary code execution


Arch Linux Security Advisory ASA-201902-10
==========================================

Severity: High
Date : 2019-02-12
CVE-ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823
Package : libcurl-gnutls
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-877

Summary
=======

The package libcurl-gnutls before version 7.64.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.64.0-1.

# pacman -Syu "libcurl-gnutls>=7.64.0-1"

The problems have been fixed upstream in version 7.64.0.

Workaround
==========

None.

Description
===========

- CVE-2018-16890 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap
buffer out-of-bounds read. The function handling incoming NTLM type-2
messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not
validate incoming data correctly and is subject to an integer overflow
vulnerability. Using that overflow, a malicious or broken NTLM server
could trick libcurl to accept a bad length + offset combination that
would lead to a buffer read out-of-bounds.

- CVE-2019-3822 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a
stack-based buffer overflow. The function creating an outgoing NTLM
type-3 header
(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates
the request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed
is implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening. This output data can grow larger
than the local buffer if very large "nt response" data is extracted
from a previous NTLMv2 header provided by the malicious or broken HTTP
server. Such a "large value" needs to be around 1000 bytes or more. The
actual payload data copied to the target buffer comes from the NTLMv2
type-2 response header.

- CVE-2019-3823 (arbitrary code execution)

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap
out-of-bounds read in the code handling the end-of-response for SMTP.
If the buffer passed to `smtp_endofresp()` isn't NUL terminated and
contains no character ending the parsed number, and `len` is set to 5,
then the `strtol()` call reads beyond the allocated buffer. The read
contents will not be returned to the caller.

Impact
======

A malicious remote server could execute arbitrary code by sending
malicious NTLM or SMTP replies.

References
==========

https://curl.haxx.se/docs/CVE-2018-16890.html
https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
https://curl.haxx.se/docs/CVE-2019-3822.html
https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc
https://curl.haxx.se/docs/CVE-2019-3823.html
https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
https://security.archlinux.org/CVE-2018-16890
https://security.archlinux.org/CVE-2019-3822
https://security.archlinux.org/CVE-2019-3823

ASA-201902-11: lib32-libcurl-gnutls: arbitrary code execution


Arch Linux Security Advisory ASA-201902-11
==========================================

Severity: High
Date : 2019-02-12
CVE-ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823
Package : lib32-libcurl-gnutls
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-876

Summary
=======

The package lib32-libcurl-gnutls before version 7.64.0-1 is vulnerable
to arbitrary code execution.

Resolution
==========

Upgrade to 7.64.0-1.

# pacman -Syu "lib32-libcurl-gnutls>=7.64.0-1"

The problems have been fixed upstream in version 7.64.0.

Workaround
==========

None.

Description
===========

- CVE-2018-16890 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap
buffer out-of-bounds read. The function handling incoming NTLM type-2
messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not
validate incoming data correctly and is subject to an integer overflow
vulnerability. Using that overflow, a malicious or broken NTLM server
could trick libcurl to accept a bad length + offset combination that
would lead to a buffer read out-of-bounds.

- CVE-2019-3822 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a
stack-based buffer overflow. The function creating an outgoing NTLM
type-3 header
(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates
the request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed
is implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening. This output data can grow larger
than the local buffer if very large "nt response" data is extracted
from a previous NTLMv2 header provided by the malicious or broken HTTP
server. Such a "large value" needs to be around 1000 bytes or more. The
actual payload data copied to the target buffer comes from the NTLMv2
type-2 response header.

- CVE-2019-3823 (arbitrary code execution)

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap
out-of-bounds read in the code handling the end-of-response for SMTP.
If the buffer passed to `smtp_endofresp()` isn't NUL terminated and
contains no character ending the parsed number, and `len` is set to 5,
then the `strtol()` call reads beyond the allocated buffer. The read
contents will not be returned to the caller.

Impact
======

A malicious remote server could execute arbitrary code by sending
malicious NTLM or SMTP replies.

References
==========

https://curl.haxx.se/docs/CVE-2018-16890.html
https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
https://curl.haxx.se/docs/CVE-2019-3822.html
https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc
https://curl.haxx.se/docs/CVE-2019-3823.html
https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
https://security.archlinux.org/CVE-2018-16890
https://security.archlinux.org/CVE-2019-3822
https://security.archlinux.org/CVE-2019-3823

ASA-201902-12: lib32-libcurl-compat: arbitrary code execution


Arch Linux Security Advisory ASA-201902-12
==========================================

Severity: High
Date : 2019-02-12
CVE-ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823
Package : lib32-libcurl-compat
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-875

Summary
=======

The package lib32-libcurl-compat before version 7.64.0-1 is vulnerable
to arbitrary code execution.

Resolution
==========

Upgrade to 7.64.0-1.

# pacman -Syu "lib32-libcurl-compat>=7.64.0-1"

The problems have been fixed upstream in version 7.64.0.

Workaround
==========

None.

Description
===========

- CVE-2018-16890 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap
buffer out-of-bounds read. The function handling incoming NTLM type-2
messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not
validate incoming data correctly and is subject to an integer overflow
vulnerability. Using that overflow, a malicious or broken NTLM server
could trick libcurl to accept a bad length + offset combination that
would lead to a buffer read out-of-bounds.

- CVE-2019-3822 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a
stack-based buffer overflow. The function creating an outgoing NTLM
type-3 header
(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates
the request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed
is implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening. This output data can grow larger
than the local buffer if very large "nt response" data is extracted
from a previous NTLMv2 header provided by the malicious or broken HTTP
server. Such a "large value" needs to be around 1000 bytes or more. The
actual payload data copied to the target buffer comes from the NTLMv2
type-2 response header.

- CVE-2019-3823 (arbitrary code execution)

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap
out-of-bounds read in the code handling the end-of-response for SMTP.
If the buffer passed to `smtp_endofresp()` isn't NUL terminated and
contains no character ending the parsed number, and `len` is set to 5,
then the `strtol()` call reads beyond the allocated buffer. The read
contents will not be returned to the caller.

Impact
======

A malicious remote server could execute arbitrary code by sending
malicious NTLM or SMTP replies.

References
==========

https://curl.haxx.se/docs/CVE-2018-16890.html
https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
https://curl.haxx.se/docs/CVE-2019-3822.html
https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc
https://curl.haxx.se/docs/CVE-2019-3823.html
https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
https://security.archlinux.org/CVE-2018-16890
https://security.archlinux.org/CVE-2019-3822
https://security.archlinux.org/CVE-2019-3823

ASA-201902-13: lib32-curl: arbitrary code execution


Arch Linux Security Advisory ASA-201902-13
==========================================

Severity: High
Date : 2019-02-12
CVE-ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823
Package : lib32-curl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-874

Summary
=======

The package lib32-curl before version 7.64.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.64.0-1.

# pacman -Syu "lib32-curl>=7.64.0-1"

The problems have been fixed upstream in version 7.64.0.

Workaround
==========

None.

Description
===========

- CVE-2018-16890 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap
buffer out-of-bounds read. The function handling incoming NTLM type-2
messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not
validate incoming data correctly and is subject to an integer overflow
vulnerability. Using that overflow, a malicious or broken NTLM server
could trick libcurl to accept a bad length + offset combination that
would lead to a buffer read out-of-bounds.

- CVE-2019-3822 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a
stack-based buffer overflow. The function creating an outgoing NTLM
type-3 header
(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates
the request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed
is implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening. This output data can grow larger
than the local buffer if very large "nt response" data is extracted
from a previous NTLMv2 header provided by the malicious or broken HTTP
server. Such a "large value" needs to be around 1000 bytes or more. The
actual payload data copied to the target buffer comes from the NTLMv2
type-2 response header.

- CVE-2019-3823 (arbitrary code execution)

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap
out-of-bounds read in the code handling the end-of-response for SMTP.
If the buffer passed to `smtp_endofresp()` isn't NUL terminated and
contains no character ending the parsed number, and `len` is set to 5,
then the `strtol()` call reads beyond the allocated buffer. The read
contents will not be returned to the caller.

Impact
======

A malicious remote server could execute arbitrary code by sending
malicious NTLM or SMTP replies.

References
==========

https://curl.haxx.se/docs/CVE-2018-16890.html
https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
https://curl.haxx.se/docs/CVE-2019-3822.html
https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc
https://curl.haxx.se/docs/CVE-2019-3823.html
https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
https://security.archlinux.org/CVE-2018-16890
https://security.archlinux.org/CVE-2019-3822
https://security.archlinux.org/CVE-2019-3823

ASA-201902-14: python-django: denial of service

Arch Linux Security Advisory ASA-201902-14
==========================================

Severity: Medium
Date : 2019-02-12
CVE-ID : CVE-2019-6975
Package : python-django
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-881

Summary
=======

The package python-django before version 2.1.6-1 is vulnerable to
denial of service.

Resolution
==========

Upgrade to 2.1.6-1.

# pacman -Syu "python-django>=2.1.6-1"

The problem has been fixed upstream in version 2.1.6.

Workaround
==========

None.

Description
===========

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before
2.1.6 allows uncontrolled memory consumption via a malicious attacker-
supplied value to the django.utils.numberformat.format() function.
If the affected numberformat function as used by contrib.admin as well
as the the floatformat, filesizeformat, and intcomma templates filters
receives a Decimal with a large number of digits or a large exponent,
it could lead to significant memory usage due to a call to
'{:f}'.format().

Impact
======

A remote attacker is able to crash a target server that uses float-
number-based filters by making the server filter numbers with very
large exponents or number of digits.

References
==========

https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://www.openwall.com/lists/oss-security/2019/02/11/1
https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227
https://github.com/django/django/commit/40cd19055773705301c3428ed5e08a036d2091f3
https://security.archlinux.org/CVE-2019-6975

ASA-201902-15: python2-django: denial of service

Arch Linux Security Advisory ASA-201902-15
==========================================

Severity: Medium
Date : 2019-02-12
CVE-ID : CVE-2019-6975
Package : python2-django
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-882

Summary
=======

The package python2-django before version 1.11.19-1 is vulnerable to
denial of service.

Resolution
==========

Upgrade to 1.11.19-1.

# pacman -Syu "python2-django>=1.11.19-1"

The problem has been fixed upstream in version 1.11.19.

Workaround
==========

None.

Description
===========

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before
2.1.6 allows uncontrolled memory consumption via a malicious attacker-
supplied value to the django.utils.numberformat.format() function.
If the affected numberformat function as used by contrib.admin as well
as the the floatformat, filesizeformat, and intcomma templates filters
receives a Decimal with a large number of digits or a large exponent,
it could lead to significant memory usage due to a call to
'{:f}'.format().

Impact
======

A remote attacker is able to crash a target server that uses float-
number-based filters by making the server filter numbers with very
large exponents or number of digits.

References
==========

https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://www.openwall.com/lists/oss-security/2019/02/11/1
https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227
https://github.com/django/django/commit/40cd19055773705301c3428ed5e08a036d2091f3
https://security.archlinux.org/CVE-2019-6975

ASA-201902-5: rdesktop: multiple issues

Arch Linux Security Advisory ASA-201902-5
=========================================

Severity: High
Date : 2019-02-11
CVE-ID : CVE-2018-8791 CVE-2018-8792 CVE-2018-8793 CVE-2018-8794
CVE-2018-8795 CVE-2018-8796 CVE-2018-8797 CVE-2018-8798
CVE-2018-8799 CVE-2018-8800 CVE-2018-20174 CVE-2018-20175
CVE-2018-20176 CVE-2018-20177 CVE-2018-20178 CVE-2018-20179
CVE-2018-20180 CVE-2018-20181 CVE-2018-20182
Package : rdesktop
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-871

Summary
=======

The package rdesktop before version 1.8.4-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
information disclosure.

Resolution
==========

Upgrade to 1.8.4-1.

# pacman -Syu "rdesktop>=1.8.4-1"

The problems have been fixed upstream in version 1.8.4.

Workaround
==========

None.

Description
===========

- CVE-2018-8791 (information disclosure)

rdesktop before 1.8.4 is vulnerable to an out-of-bounds read in
function rdpdr_process() that results in an information leak.

- CVE-2018-8792 (denial of service)

rdesktop before 1.8.4 is vulnerable to an out-of-bounds read in
function cssp_read_tsrequest() that results in a denial of service
(segfault).

- CVE-2018-8793 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to a heap-based buffer overflow in
function cssp_read_tsrequest() that results in a memory corruption and
probably even a remote code execution.

- CVE-2018-8794 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to an integer overflow that leads
to an out-of-bounds write in function process_bitmap_updates() and
results in a memory corruption and possibly even a remote code
execution.

- CVE-2018-8795 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to an integer overflow that leads
to a heap-based buffer overflow in function process_bitmap_updates()
and results in a memory corruption and probably even a remote code
execution.

- CVE-2018-8796 (denial of service)

rdesktop before 1.8.4 is vulnerable to an out-of-bounds read in
function process_bitmap_updates() that results in a denial of service
(segfault).

- CVE-2018-8797 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to a heap-based buffer overflow in
function process_plane() that results in a memory corruption and
probably even a remote code execution.

- CVE-2018-8798 (information disclosure)

rdesktop before 1.8.4 is vulnerable to an out-of-bounds read in
function rdpsnd_process_ping() that results in an information leak.

- CVE-2018-8799 (denial of service)

rdesktop before 1.8.4 is vulnerable to an out-of-bounds read in
function process_secondary_order() that results in a denial of service
(segfault).

- CVE-2018-8800 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to a heap-based buffer overflow in
function ui_clip_handle_data() that results in a memory corruption and
probably even a remote code execution.

- CVE-2018-20174 (information disclosure)

rdesktop before 1.8.4 is vulnerable to an information leak in
ui_clip_handle_data().

- CVE-2018-20175 (denial of service)

rdesktop before 1.8.4 is vulnerable to denial of service in
mcs_recv_connect_response() and mcs_parse_domain_params().

- CVE-2018-20176 (denial of service)

rdesktop before 1.8.4 is vulnerable to denial of service in
sec_parse_crypt_info() and sec_recv().

- CVE-2018-20177 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to a memory corruption issue in
rdp_in_unistr() that could lead to arbitrary code execution.

- CVE-2018-20178 (denial of service)

rdesktop before 1.8.4 is vulnerable to denial of service in
process_demand_active().

- CVE-2018-20179 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to remote code execution in
lspci_process().

- CVE-2018-20180 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to remote code execution in
rdpsnddbg_process().

- CVE-2018-20181 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to remote code execution in
seamless_process().

- CVE-2018-20182 (arbitrary code execution)

rdesktop before 1.8.4 is vulnerable to remote code execution in
seamless_process_line().

Impact
======

A remote attacker is able to execute arbitrary code, access sensitive
information or crash rdesktop when the client connects to a malicious
server in control of the attacker.

References
==========

https://bugs.archlinux.org/task/61652
https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1
https://security.archlinux.org/CVE-2018-8791
https://security.archlinux.org/CVE-2018-8792
https://security.archlinux.org/CVE-2018-8793
https://security.archlinux.org/CVE-2018-8794
https://security.archlinux.org/CVE-2018-8795
https://security.archlinux.org/CVE-2018-8796
https://security.archlinux.org/CVE-2018-8797
https://security.archlinux.org/CVE-2018-8798
https://security.archlinux.org/CVE-2018-8799
https://security.archlinux.org/CVE-2018-8800
https://security.archlinux.org/CVE-2018-20174
https://security.archlinux.org/CVE-2018-20175
https://security.archlinux.org/CVE-2018-20176
https://security.archlinux.org/CVE-2018-20177
https://security.archlinux.org/CVE-2018-20178
https://security.archlinux.org/CVE-2018-20179
https://security.archlinux.org/CVE-2018-20180
https://security.archlinux.org/CVE-2018-20181
https://security.archlinux.org/CVE-2018-20182

ASA-201902-6: runc: privilege escalation


Arch Linux Security Advisory ASA-201902-6
=========================================

Severity: High
Date : 2019-02-11
CVE-ID : CVE-2019-5736
Package : runc
Type : privilege escalation
Remote : Yes
Link : https://security.archlinux.org/AVG-878

Summary
=======

The package runc before version 1.0.0rc6-1 is vulnerable to privilege
escalation.

Resolution
==========

Upgrade to 1.0.0rc6-1.

# pacman -Syu "runc>=1.0.0rc6-1"

The problem has been fixed upstream in version 1.0.0rc6.

Workaround
==========

Don't run privileged containers.

Description
===========

A vulnerability discovered in runc through 1.0-rc6, as used in Docker
before 18.09.2 and other products, allows attackers to overwrite the
host runc binary (and consequently obtain host root access) by
leveraging the ability to execute a command as root within one of these
types of containers: (1) a new container with an attacker-controlled
image, or (2) an existing container, to which the attacker previously
had write access, that can be attached with docker exec. This occurs
because of file-descriptor mishandling, related to /proc/self/exe.

Impact
======

A malicious container can escalate privileges to gain access as root on
the host system and execute arbitrary code.

References
==========

https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
https://www.openwall.com/lists/oss-security/2019/02/11/2
https://security.archlinux.org/CVE-2019-5736


ASA-201902-7: libu2f-host: arbitrary code execution


Arch Linux Security Advisory ASA-201902-7
=========================================

Severity: High
Date : 2019-02-11
CVE-ID : CVE-2018-20340
Package : libu2f-host
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-884

Summary
=======

The package libu2f-host before version 1.1.7-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 1.1.7-1.

# pacman -Syu "libu2f-host>=1.1.7-1"

The problem has been fixed upstream in version 1.1.7.

Workaround
==========

None.

Description
===========

Yubico library libu2f-host prior to version 1.1.7 contains an unchecked
buffer, which could allow a buffer overflow. Libu2f-host is a library
that implements the host party of the U2F protocol. This issue can
allow an attacker with a custom made malicious USB device masquerading
as a security key, and physical access to a computer where PAM U2F or
an application with libu2f-host integrated, to potentially execute
arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are
the most impacted since the arbitrary code could execute with elevated
privileges.

Impact
======

A malicious USB device can execute arbitrary code on the host.

References
==========

https://www.yubico.com/support/security-advisories/ysa-2019-01/
https://security.archlinux.org/CVE-2018-20340


ASA-201902-8: aubio: denial of service


Arch Linux Security Advisory ASA-201902-8
=========================================

Severity: Medium
Date : 2019-02-12
CVE-ID : CVE-2018-19800 CVE-2018-19801 CVE-2018-19802
Package : aubio
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-888

Summary
=======

The package aubio before version 0.4.9-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 0.4.9-1.

# pacman -Syu "aubio>=0.4.9-1"

The problems have been fixed upstream in version 0.4.9.

Workaround
==========

None.

Description
===========

- CVE-2018-19800 (denial of service)

A potential buffer overflow vulnerability was found on invalid
new_aubio-tempo in aubio before 0.4.9, which may lead to application
crash when playing a crafted audio file.

- CVE-2018-19801 (denial of service)

A NULL pointer dereference (denial of service) vulnerability was found
on invalid n_filters in aubio before 0.4.9, which may lead to
application crash when playing a crafted audio file.

- CVE-2018-19802 (denial of service)

A NULL pointer dereference (denial of service) vulnerability was found
on invalid new_aubio_onset in aubio before 0.4.9, which may lead to
application crash when playing a crafted audio file.

Impact
======

An attacker might be able to crash the software by tricking the user
into opening a crafted audio file.

References
==========

https://github.com/aubio/aubio/blob/0.4.9/ChangeLog#L14-L17
https://github.com/aubio/aubio/commit/1cf031a3a5b869368562b1251419fd45191eaa53
https://github.com/aubio/aubio/commit/bcc53876548334b4c5f1ebd47a5bd5f151974e8b
https://github.com/aubio/aubio/commit/c5ee1307bdc004e43302abeca1802c2692b33a8e
https://security.archlinux.org/CVE-2018-19800
https://security.archlinux.org/CVE-2018-19801
https://security.archlinux.org/CVE-2018-19802


ASA-201902-9: curl: arbitrary code execution

Arch Linux Security Advisory ASA-201902-9
=========================================

Severity: High
Date : 2019-02-12
CVE-ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823
Package : curl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-873

Summary
=======

The package curl before version 7.64.0-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 7.64.0-1.

# pacman -Syu "curl>=7.64.0-1"

The problems have been fixed upstream in version 7.64.0.

Workaround
==========

None.

Description
===========

- CVE-2018-16890 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap
buffer out-of-bounds read. The function handling incoming NTLM type-2
messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not
validate incoming data correctly and is subject to an integer overflow
vulnerability. Using that overflow, a malicious or broken NTLM server
could trick libcurl to accept a bad length + offset combination that
would lead to a buffer read out-of-bounds.

- CVE-2019-3822 (arbitrary code execution)

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a
stack-based buffer overflow. The function creating an outgoing NTLM
type-3 header
(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates
the request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed
is implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening. This output data can grow larger
than the local buffer if very large "nt response" data is extracted
from a previous NTLMv2 header provided by the malicious or broken HTTP
server. Such a "large value" needs to be around 1000 bytes or more. The
actual payload data copied to the target buffer comes from the NTLMv2
type-2 response header.

- CVE-2019-3823 (arbitrary code execution)

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap
out-of-bounds read in the code handling the end-of-response for SMTP.
If the buffer passed to `smtp_endofresp()` isn't NUL terminated and
contains no character ending the parsed number, and `len` is set to 5,
then the `strtol()` call reads beyond the allocated buffer. The read
contents will not be returned to the caller.

Impact
======

A malicious remote server could execute arbitrary code by sending
malicious NTLM or SMTP replies.

References
==========

https://curl.haxx.se/docs/CVE-2018-16890.html
https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
https://curl.haxx.se/docs/CVE-2019-3822.html
https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc
https://curl.haxx.se/docs/CVE-2019-3823.html
https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
https://security.archlinux.org/CVE-2018-16890
https://security.archlinux.org/CVE-2019-3822
https://security.archlinux.org/CVE-2019-3823