Arch Linux 811 Published by

The following updates has been released for Arch Linux:

ASA-201811-10: thunderbird: arbitrary code execution
ASA-201811-11: systemd: multiple issues



ASA-201811-10: thunderbird: arbitrary code execution

Arch Linux Security Advisory ASA-201811-10
==========================================

Severity: Critical
Date : 2018-11-06
CVE-ID : CVE-2018-12389 CVE-2018-12390 CVE-2018-12392
Package : thunderbird
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-803

Summary
=======

The package thunderbird before version 60.3.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 60.3.0-1.

# pacman -Syu "thunderbird>=60.3.0-1"

The problems have been fixed upstream in version 60.3.0.

Workaround
==========

None.

Description
===========

- CVE-2018-12389 (arbitrary code execution)

Several memory safety bugs have been found in Thunderbird versions
prior to 63.0. Some of these bugs showed evidence of memory corruption
and Mozilla engineers presume that with enough effort some of these
could be exploited to run arbitrary code.

- CVE-2018-12390 (arbitrary code execution)

Several memory safety bugs have been found in Firefox and Thunderbird
versions prior to 63.0. Some of these bugs showed evidence of memory
corruption and Mozilla engineers presume that with enough effort some
of these could be exploited to run arbitrary code.

- CVE-2018-12392 (arbitrary code execution)

A security issue has been found in Firefox and Thunderbird versions
prior to 63.0. When manipulating user events in nested loops while
opening a document through script, it is possible to trigger a
potentially exploitable crash due to poor event handling.

Impact
======

A remote attacker is able to execute arbitrary code via a specially
crafted HTML document.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12390
https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12390
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1487098%2C1487660%2C1490234%2C1496159%2C1443748%2C1496340%2C1483905%2C1493347%2C1488803%2C1498701%2C1498482%2C1442010%2C1495245%2C1483699%2C1469486%2C1484905%2C1490561%2C1492524%2C1481844
https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12392
https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12392
https://bugzilla.mozilla.org/show_bug.cgi?id=1492823
https://security.archlinux.org/CVE-2018-12389
https://security.archlinux.org/CVE-2018-12390
https://security.archlinux.org/CVE-2018-12392


ASA-201811-11: systemd: multiple issues

Arch Linux Security Advisory ASA-201811-11
==========================================

Severity: Critical
Date : 2018-11-07
CVE-ID : CVE-2018-15686 CVE-2018-15687 CVE-2018-15688
Package : systemd
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-789

Summary
=======

The package systemd before version 239.300-1 is vulnerable to multiple
issues including arbitrary code execution and privilege escalation.

Resolution
==========

Upgrade to 239.300-1.

# pacman -Syu "systemd>=239.300-1"

The problems have been fixed upstream in version 239.300.

Workaround
==========

- CVE-2018-15688

Disable IPv6 by setting either LinkLocalAddressing=ipv4 or
LinkLocalAddressing=no in the corresponding network configuration file.

Description
===========

- CVE-2018-15686 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where the use of fgets() allows an attacker to escalate privilege via a
crafted service with NotifyAccess.

- CVE-2018-15687 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where a race condition in the chown_one() function can be used to
escalate privileges via a crafted symlink.

- CVE-2018-15688 (arbitrary code execution)

An out-of-bounds write has been found in the dhcpv6 option handing code
of systemd-networkd up to and including v239.

It was discovered that systemd-network does not correctly keep track of
a buffer size in the dhcp6_option_append_ia() function, when
constructing DHCPv6 packets. This flaw may lead to an integer underflow
that can be used to produce an heap-based buffer overflow. A malicious
host on the same network segment as the victim's one may advertise
itself as a DHCPv6 server and exploit this flaw to cause a Denial of
Service or potentially gain code execution on the victim's machine. The
overflow can be triggered relatively easy by advertising a DHCPv6
server with a server-id >= 493 characters long.

Impact
======

A remote attacker is able to cause arbitrary code execution by
advertising itself as a DHCPv6 server with a specially crafted server-
id. A local attacker can escalate privileges with a specially crafted
service or a crafted symlink.

References
==========

https://bugs.archlinux.org/task/60609
https://bugs.chromium.org/p/project-zero/issues/detail?id=1687
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402
https://github.com/systemd/systemd/pull/10447
https://github.com/systemd/systemd/pull/10450
https://bugs.chromium.org/p/project-zero/issues/detail?id=1689
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796692
https://github.com/systemd/systemd/pull/10517
https://bugs.launchpad.net/ubuntu/%2Bsource/systemd/%2Bbug/1795921
https://github.com/systemd/systemd/pull/10518
https://github.com/poettering/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20
https://security.archlinux.org/CVE-2018-15686
https://security.archlinux.org/CVE-2018-15687
https://security.archlinux.org/CVE-2018-15688