Arch Linux 811 Published by

The following security updates has been released for Arch Linux:

ASA-201902-1: dovecot: authentication bypass
ASA-201902-2: firefox: multiple issues
ASA-201902-3: chromium: multiple issues
ASA-201902-4: spice: arbitrary code execution



ASA-201902-1: dovecot: authentication bypass


Arch Linux Security Advisory ASA-201902-1
=========================================

Severity: High
Date : 2019-02-06
CVE-ID : CVE-2019-3814
Package : dovecot
Type : authentication bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-872

Summary
=======

The package dovecot before version 2.3.4.1-1 is vulnerable to
authentication bypass.

Resolution
==========

Upgrade to 2.3.4.1-1.

# pacman -Syu "dovecot>=2.3.4.1-1"

The problem has been fixed upstream in version 2.3.4.1.

Workaround
==========

None.

Description
===========

A vulnerability has been found in Dovecot versions prior to 2.3.4.1,
allowing a remote client in possession of a trusted SSL certificate to
log in as any user, in some configurations.
This affects only installations using auth_ssl_require_client_cert =
yes and auth_ssl_username_from_cert = yes, and the the attacker might
have access to a trusted certificate without the
ssl_cert_username_field (default to commonName) set in it.

Impact
======

A remote client in possession of a trusted SSL certificate might be
able to log in as any user.

References
==========

https://www.dovecot.org/pipermail/dovecot/2019-February/114575.html
https://github.com/dovecot/core/commit/61471a5c42528090cffcca9bceded316746637b7
https://security.archlinux.org/CVE-2019-3814


ASA-201902-2: firefox: multiple issues


Arch Linux Security Advisory ASA-201902-2
=========================================

Severity: Critical
Date : 2019-02-06
CVE-ID : CVE-2018-18500 CVE-2018-18501 CVE-2018-18502 CVE-2018-18503
CVE-2018-18504 CVE-2018-18505 CVE-2018-18506
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-862

Summary
=======

The package firefox before version 65.0-1 is vulnerable to multiple
issues including arbitrary code execution, privilege escalation and
access restriction bypass.

Resolution
==========

Upgrade to 65.0-1.

# pacman -Syu "firefox>=65.0-1"

The problems have been fixed upstream in version 65.0.

Workaround
==========

None.

Description
===========

- CVE-2018-18500 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 65.0, that
can occur while parsing an HTML5 stream in concert with custom HTML
elements. This results in the stream parser object being freed while
still in use, leading to a potentially exploitable crash.

- CVE-2018-18501 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 65.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-18502 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 65.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-18503 (arbitrary code execution)

A memory corruption vulnerability has been found in the Audio Buffer
component of Firefox < 65.0. When JavaScript is used to create and
manipulate an audio buffer, a potentially exploitable crash may occur
because of a compartment mismatch in some situations.

- CVE-2018-18504 (arbitrary code execution)

A memory corruption and out-of-bounds read have been found in Firefox <
65.0, that can occur when the buffer of a texture client is freed while
it is still in use during graphic operations. This results in a
potentially exploitable crash and the possibility of reading from the
memory of the freed buffers.

- CVE-2018-18505 (privilege escalation)

A privilege escalation issue has been found in Firefox < 65.0. An
earlier fix for an Inter-process Communication (IPC) vulnerability,
CVE-2011-3079, added authentication to communication between IPC
endpoints and server parents during IPC process creation. This
authentication is insufficient for channels created after the IPC
process is started, leading to the authentication not being correctly
applied to later channels. This could allow for a sandbox escape
through IPC channels due to lack of message validation in the listener
process.

- CVE-2018-18506 (access restriction bypass)

When proxy auto-detection is enabled in Firefox < 65.0, if a web server
serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded
locally, this PAC file can specify that requests to the localhost are
to be sent through the proxy to another server. This behavior is
disallowed by default when a proxy is manually configured, but when
enabled could allow for attacks on services and tools that bind to the
localhost for networked behavior if they are accessed through browsing.

Impact
======

A remote attacker might be able to execute arbitrary code via a crafted
web content, or force requests to localhost to be sent through a proxy
to another server. A local attacker might be able to escape firefox's
sandbox via privilege escalation .

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18500
https://bugzilla.mozilla.org/show_bug.cgi?id=1510114
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18501
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1512450%2C1517542%2C1513201%2C1460619%2C1502871%2C1516738%2C1516514
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18502
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1499426%2C1480090%2C1472990%2C1514762%2C1501482%2C1505887%2C1508102%2C1508618%2C1511580%2C1493497%2C1510145%2C1516289%2C1506798%2C1512758
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18503
https://bugzilla.mozilla.org/show_bug.cgi?id=1509442
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18504
https://bugzilla.mozilla.org/show_bug.cgi?id=1496413
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18505
https://bugzilla.mozilla.org/show_bug.cgi?id=1497749
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18506
https://bugzilla.mozilla.org/show_bug.cgi?id=1503393
https://security.archlinux.org/CVE-2018-18500
https://security.archlinux.org/CVE-2018-18501
https://security.archlinux.org/CVE-2018-18502
https://security.archlinux.org/CVE-2018-18503
https://security.archlinux.org/CVE-2018-18504
https://security.archlinux.org/CVE-2018-18505
https://security.archlinux.org/CVE-2018-18506

ASA-201902-3: chromium: multiple issues

Arch Linux Security Advisory ASA-201902-3
=========================================

Severity: Critical
Date : 2019-02-11
CVE-ID : CVE-2019-5754 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757
CVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761
CVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765
CVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769
CVE-2019-5770 CVE-2019-5771 CVE-2019-5772 CVE-2019-5773
CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777
CVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781
CVE-2019-5782 CVE-2019-5783
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-861

Summary
=======

The package chromium before version 72.0.3626.81-1 is vulnerable to
multiple issues including arbitrary code execution, access restriction
bypass, content spoofing and insufficient validation.

Resolution
==========

Upgrade to 72.0.3626.81-1.

# pacman -Syu "chromium>=72.0.3626.81-1"

The problems have been fixed upstream in version 72.0.3626.81.

Workaround
==========

None.

Description
===========

- CVE-2019-5754 (arbitrary code execution)

A security issue has been found in the QUIC implementation of the
chromium browser before 72.0.3626.81.

- CVE-2019-5755 (arbitrary code execution)

A security issue has been found in the V8 implementation of the
chromium browser before 72.0.3626.81.

- CVE-2019-5756 (arbitrary code execution)

A use after free issue has been found in the PDFium component of the
chromium browser before 72.0.3626.81.

- CVE-2019-5757 (arbitrary code execution)

A type confusion issue has been found in the SVG implementation in the
chromium browser before 72.0.3626.81.

- CVE-2019-5758 (arbitrary code execution)

A use after free issue has been found in the blink component of the
chromium browser before 72.0.3626.81.

- CVE-2019-5759 (arbitrary code execution)

A use after free issue has been found in the HTML select elements
component of the chromium browser before 72.0.3626.81.

- CVE-2019-5760 (arbitrary code execution)

A use after free issue has been found in the WebRTC implementation in
the chromium browser before 72.0.3626.81.

- CVE-2019-5761 (arbitrary code execution)

A use after free issue has been found in the SwiftShader component of
the chromium browser before 72.0.3626.81.

- CVE-2019-5762 (arbitrary code execution)

A use after free issue has been found in the PDFium component of the
chromium browser before 72.0.3626.81.

- CVE-2019-5763 (arbitrary code execution)

A security issue has been found in the V8 implementation of the
chromium browser before 72.0.3626.81.

- CVE-2019-5764 (arbitrary code execution)

A use-after-free vulnerability has been found in the WebRTC component
of the chromium browser before 72.0.3626.81.

- CVE-2019-5765 (access restriction bypass)

An insufficient policy enforcement issue has been found in the chromium
browser before 72.0.3626.81.

- CVE-2019-5766 (access restriction bypass)

An insufficient policy enforcement issue has been found in the Canvas
component of the chromium browser before 72.0.3626.81.

- CVE-2019-5767 (content spoofing)

An incorrect security UI issue has been found in the WebAPKs component
of the chromium browser before 72.0.3626.81.

- CVE-2019-5768 (access restriction bypass)

An insufficient policy enforcement issue has been found in the DevTools
component of the chromium browser before 72.0.3626.81.

- CVE-2019-5769 (insufficient validation)

An insufficient validation of untrusted input issue has been found in
the Blink component of the chromium browser before 72.0.3626.81.

- CVE-2019-5770 (arbitrary code execution)

A heap-based buffer overflow vulnerability has been found in the WebGL
component of the chromium browser before 72.0.3626.81.

- CVE-2019-5771 (arbitrary code execution)

A heap-based buffer overflow vulnerability has been found in the
SwiftShader component of the chromium browser before 72.0.3626.81.

- CVE-2019-5772 (arbitrary code execution)

A use-after-free vulnerability has been found in the PDFium component
of the chromium browser before 72.0.3626.81.

- CVE-2019-5773 (insufficient validation)

An insufficient data validation issue has been found in the IndexedDB
component of the chromium browser before 72.0.3626.81.

- CVE-2019-5774 (insufficient validation)

An insufficient validation of untrusted input issue has been found in
the SafeBrowsing component of the chromium browser before 72.0.3626.81.

- CVE-2019-5775 (content spoofing)

An insufficient policy enforcement issue has been found in the OmniBox
component of the chromium browser before 72.0.3626.81, allowing IDN URL
spoofing.

- CVE-2019-5776 (content spoofing)

An insufficient policy enforcement issue has been found in the OmniBox
component of the chromium browser before 72.0.3626.81, allowing IDN URL
spoofing.

- CVE-2019-5777 (content spoofing)

An insufficient policy enforcement issue has been found in the OmniBox
component of the chromium browser before 72.0.3626.81, allowing IDN URL
spoofing.

- CVE-2019-5778 (access restriction bypass)

An insufficient policy enforcement issue has been found in the
Extensions component of the chromium browser before 72.0.3626.81.

- CVE-2019-5779 (access restriction bypass)

An insufficient policy enforcement issue has been found in the
ServiceWorker component of the chromium browser before 72.0.3626.81.

- CVE-2019-5780 (access restriction bypass)

A security issue has been found in the chromium browser before
72.0.3626.81 leading to Insufficient policy enforcement.

- CVE-2019-5781 (content spoofing)

A security issue has been found in the Omnibox implementation of the
chromium browser before 72.0.3626.81.

- CVE-2019-5782 (arbitrary code execution)

A security issue has been found in the V8 implementation of the
chromium browser before 72.0.3626.81.

- CVE-2019-5783 (insufficient validation)

An insufficient validation of untrusted input issue has been found in
the DevTools component of the chromium browser before 72.0.3626.81.

Impact
======

A remote attacker can spoof the URL in the address bar, bypass security
policies or execute arbitrary code.

References
==========

https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail?id=914497
https://bugs.chromium.org/p/chromium/issues/detail?id=913296
https://bugs.chromium.org/p/chromium/issues/detail?id=895152
https://bugs.chromium.org/p/chromium/issues/detail?id=915469
https://bugs.chromium.org/p/chromium/issues/detail?id=913970
https://bugs.chromium.org/p/chromium/issues/detail?id=912211
https://bugs.chromium.org/p/chromium/issues/detail?id=912074
https://bugs.chromium.org/p/chromium/issues/detail?id=904714
https://bugs.chromium.org/p/chromium/issues/detail?id=900552
https://bugs.chromium.org/p/chromium/issues/detail?id=914731
https://bugs.chromium.org/p/chromium/issues/detail?id=913246
https://bugs.chromium.org/p/chromium/issues/detail?id=922627
https://bugs.chromium.org/p/chromium/issues/detail?id=907047
https://bugs.chromium.org/p/chromium/issues/detail?id=902427
https://bugs.chromium.org/p/chromium/issues/detail?id=805557
https://bugs.chromium.org/p/chromium/issues/detail?id=913975
https://bugs.chromium.org/p/chromium/issues/detail?id=908749
https://bugs.chromium.org/p/chromium/issues/detail?id=904265
https://bugs.chromium.org/p/chromium/issues/detail?id=908292
https://bugs.chromium.org/p/chromium/issues/detail?id=917668
https://bugs.chromium.org/p/chromium/issues/detail?id=904182
https://bugs.chromium.org/p/chromium/issues/detail?id=896722
https://bugs.chromium.org/p/chromium/issues/detail?id=863663
https://bugs.chromium.org/p/chromium/issues/detail?id=849421
https://bugs.chromium.org/p/chromium/issues/detail?id=918470
https://bugs.chromium.org/p/chromium/issues/detail?id=891697
https://bugs.chromium.org/p/chromium/issues/detail?id=896725
https://bugs.chromium.org/p/chromium/issues/detail?id=906043
https://bugs.chromium.org/p/chromium/issues/detail?id=895081
https://security.archlinux.org/CVE-2019-5754
https://security.archlinux.org/CVE-2019-5755
https://security.archlinux.org/CVE-2019-5756
https://security.archlinux.org/CVE-2019-5757
https://security.archlinux.org/CVE-2019-5758
https://security.archlinux.org/CVE-2019-5759
https://security.archlinux.org/CVE-2019-5760
https://security.archlinux.org/CVE-2019-5761
https://security.archlinux.org/CVE-2019-5762
https://security.archlinux.org/CVE-2019-5763
https://security.archlinux.org/CVE-2019-5764
https://security.archlinux.org/CVE-2019-5765
https://security.archlinux.org/CVE-2019-5766
https://security.archlinux.org/CVE-2019-5767
https://security.archlinux.org/CVE-2019-5768
https://security.archlinux.org/CVE-2019-5769
https://security.archlinux.org/CVE-2019-5770
https://security.archlinux.org/CVE-2019-5771
https://security.archlinux.org/CVE-2019-5772
https://security.archlinux.org/CVE-2019-5773
https://security.archlinux.org/CVE-2019-5774
https://security.archlinux.org/CVE-2019-5775
https://security.archlinux.org/CVE-2019-5776
https://security.archlinux.org/CVE-2019-5777
https://security.archlinux.org/CVE-2019-5778
https://security.archlinux.org/CVE-2019-5779
https://security.archlinux.org/CVE-2019-5780
https://security.archlinux.org/CVE-2019-5781
https://security.archlinux.org/CVE-2019-5782
https://security.archlinux.org/CVE-2019-5783


ASA-201902-4: spice: arbitrary code execution

Arch Linux Security Advisory ASA-201902-4
=========================================

Severity: Critical
Date : 2019-02-11
CVE-ID : CVE-2019-3813
Package : spice
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-866

Summary
=======

The package spice before version 0.14.0-3 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 0.14.0-3.

# pacman -Syu "spice>=0.14.0-3"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-
bounds read due to an off-by-one error in memslot_get_virt. This may
lead to a denial of service, or, in the worst case, code-execution by
unauthenticated attackers.

Impact
======

A remote, unauthenticated attacker might be able to crash the server,
or even execute arbitrary code on said server.

References
==========

https://bugs.archlinux.org/task/61650
https://gitlab.freedesktop.org/spice/spice/commit/a4a16ac42d2f19a17e36556546aa94d5cd83745f
https://access.redhat.com/errata/RHSA-2019:0231
https://security.archlinux.org/CVE-2019-3813