Arch Linux 749 Published by

The following updates has been released for Arch Linux:

ASA-201906-16: dbus: access restriction bypass
ASA-201906-17: python: information disclosure
ASA-201906-18: firefox: arbitrary code execution



ASA-201906-16: dbus: access restriction bypass

Arch Linux Security Advisory ASA-201906-16
==========================================

Severity: High
Date : 2019-06-18
CVE-ID : CVE-2019-12749
Package : dbus
Type : access restriction bypass
Remote : No
Link : https://security.archlinux.org/AVG-974

Summary
=======

The package dbus before version 1.12.16-1 is vulnerable to access
restriction bypass.

Resolution
==========

Upgrade to 1.12.16-1.

# pacman -Syu "dbus>=1.12.16-1"

The problem has been fixed upstream in version 1.12.16.

Workaround
==========

None.

Description
===========

It has been discovered that dbus before 1.12.16 allows cookie spoofing
because of symlink mishandling in the reference implementation of
DBUS_COOKIE_SHA1 in the libdbus library. This issue only affects the
DBUS_COOKIE_SHA1 authentication mechanism.
A malicious client with write access to its own home directory could
manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a
different uid to read and write in unintended locations. In the worst
case, this could result in the DBusServer reusing a cookie that is
known to the malicious client, and treating that cookie as evidence
that a subsequent client connection came from an attacker-chosen uid,
allowing authentication bypass.

Impact
======

A local attacker could use this issue to bypass authentication and
escalate privileges.

References
==========

https://www.openwall.com/lists/oss-security/2019/06/11/2
https://gitlab.freedesktop.org/dbus/dbus/issues/269
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
https://security.archlinux.org/CVE-2019-12749

ASA-201906-17: python: information disclosure

Arch Linux Security Advisory ASA-201906-17
==========================================

Severity: High
Date : 2019-06-18
CVE-ID : CVE-2019-9636
Package : python
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-977

Summary
=======

The package python before version 3.7.3-1 is vulnerable to information
disclosure.

Resolution
==========

Upgrade to 3.7.3-1.

# pacman -Syu "python>=3.7.3-1"

The problem has been fixed upstream in version 3.7.3.

Workaround
==========

None.

Description
===========

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by
improper Handling of Unicode Encoding (with an incorrect netloc) during
NFKC normalization. A specially crafted URL could be incorrectly parsed
by urllib.parse.urlsplit and urllib.parse.urlparse to locate cookies or
authentication data and send that information to a different host than
when parsed correctly.

Impact
======

A remote attacker is able to use a specially crafted URL to locate and
disclose cookies or authentication data.

References
==========

https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
https://security.archlinux.org/CVE-2019-9636

ASA-201906-18: firefox: arbitrary code execution

Arch Linux Security Advisory ASA-201906-18
==========================================

Severity: Critical
Date : 2019-06-19
CVE-ID : CVE-2019-11707
Package : firefox
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-994

Summary
=======

The package firefox before version 67.0.3-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 67.0.3-1.

# pacman -Syu "firefox>=67.0.3-1"

The problem has been fixed upstream in version 67.0.3.

Workaround
==========

None.

Description
===========

A type confusion vulnerability can occur when manipulating JavaScript
objects due to issues in Array.pop, in Firefox before 67.0.3. This can
allow for an exploitable crash. Mozilla has been made aware of targeted
attacks in the wild abusing this flaw.

Impact
======

A remote attacker can execute arbitrary code via crafted Javascript
code.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-18
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707
https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
https://security.archlinux.org/CVE-2019-11707