Arch Linux 749 Published by

The following updates has been released for Arch Linux:

ASA-201904-5: ghostscript: sandbox escape
ASA-201904-7: jenkins: multiple issues
ASA-201904-8: flashplugin: multiple issues
ASA-201904-9: dovecot: denial of service



ASA-201904-5: ghostscript: sandbox escape

Arch Linux Security Advisory ASA-201904-5
=========================================

Severity: High
Date : 2019-04-11
CVE-ID : CVE-2019-3835 CVE-2019-3838
Package : ghostscript
Type : sandbox escape
Remote : Yes
Link : https://security.archlinux.org/AVG-929

Summary
=======

The package ghostscript before version 9.27-1 is vulnerable to sandbox
escape.

Resolution
==========

Upgrade to 9.27-1.

# pacman -Syu "ghostscript>=9.27-1"

The problems have been fixed upstream in version 9.27.

Workaround
==========

None.

Description
===========

- CVE-2019-3835 (sandbox escape)

It was found that the superexec operator was available in the internal
dictionary. A specially crafted PostScript file could use this flaw in
order to, for example, have access to the file system outside of the
constrains imposed by -dSAFER.

- CVE-2019-3838 (sandbox escape)

It was found that the forceput operator could be extracted from the
DefineResource method using methods similar to the ones described in
CVE-2019-6116. A specially crafted PostScript file could use this flaw
in order to, for example, have access to the file system outside of the
constrains imposed by -dSAFER.

Impact
======

A remote attacker is able to escape the sandbox via a specially crafted
PostScript document.

References
==========

https://bugs.archlinux.org/task/62102
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a
https://security.archlinux.org/CVE-2019-3835
https://security.archlinux.org/CVE-2019-3838

ASA-201904-7: jenkins: multiple issues

Arch Linux Security Advisory ASA-201904-7
=========================================

Severity: Medium
Date : 2019-04-11
CVE-ID : CVE-2019-1003049 CVE-2019-1003050
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-948

Summary
=======

The package jenkins before version 2.172-1 is vulnerable to multiple
issues including access restriction bypass and cross-site scripting.

Resolution
==========

Upgrade to 2.172-1.

# pacman -Syu "jenkins>=2.172-1"

The problems have been fixed upstream in version 2.172.

Workaround
==========

None.

Description
===========

- CVE-2019-1003049 (access restriction bypass)

A security issue has been found in Jenkins before 2.172, where the fix
for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing
remoting-based CLI authentication caches. This means that users who
cached their CLI authentication before Jenkins was updated to 2.150.2
and newer, or 2.160 and newer, would remain authenticated.

- CVE-2019-1003050 (cross-site scripting)

The f:validateButton form control for the Jenkins UI did not properly
escape job URLs. This resulted in a cross-site scripting (XSS)
vulnerability exploitable by users with the ability to control job
names.

Impact
======

A remote attacker is able to bypass access restrictions or perform
cross-site scripting.

References
==========

https://seclists.org/oss-sec/2019/q2/15
https://jenkins.io/security/advisory/2019-04-10/
https://security.archlinux.org/CVE-2019-1003049
https://security.archlinux.org/CVE-2019-1003050

ASA-201904-8: flashplugin: multiple issues

Arch Linux Security Advisory ASA-201904-8
=========================================

Severity: Critical
Date : 2019-04-12
CVE-ID : CVE-2019-7096 CVE-2019-7108
Package : flashplugin
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-949

Summary
=======

The package flashplugin before version 32.0.0.171-1 is vulnerable to
multiple issues including arbitrary code execution and information
disclosure.

Resolution
==========

Upgrade to 32.0.0.171-1.

# pacman -Syu "flashplugin>=32.0.0.171-1"

The problems have been fixed upstream in version 32.0.0.171.

Workaround
==========

None.

Description
===========

- CVE-2019-7096 (arbitrary code execution)

An arbitrary code execution issue has been found in Adobe Flash Player
before 32.0.0.171.

- CVE-2019-7108 (information disclosure)

An out-of-bounds read has been found in Adobe Flash Player before
32.0.0.171.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://helpx.adobe.com/security/products/flash-player/apsb19-19.html
https://security.archlinux.org/CVE-2019-7096
https://security.archlinux.org/CVE-2019-7108

ASA-201904-9: dovecot: denial of service

Arch Linux Security Advisory ASA-201904-9
=========================================

Severity: Medium
Date : 2019-04-18
CVE-ID : CVE-2019-10691
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-950

Summary
=======

The package dovecot before version 2.3.5.2-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 2.3.5.2-1.

# pacman -Syu "dovecot>=2.3.5.2-1"

The problem has been fixed upstream in version 2.3.5.2.

Workaround
==========

None.

Description
===========

JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two
ways. Attacker can repeatedly crash Dovecot authentication process by
logging in using invalid UTF-8 sequence in username. This requires that
auth policy is enabled. Crash can also occur if OX push notification
driver is enabled and an email is delivered with invalid UTF-8 sequence
in From or Subject header. In 2.2, malformed UTF-8 sequences are
forwarded "as-is", and thus do not cause problems in Dovecot itself.
Target systems should be checked for possible problems in dealing with
such sequences.

Impact
======

An attacker is able to crash the dovecot process by making it process a
username or email containing an unsupported UTF-8 sequence.

References
==========

https://wiki.dovecot.org/Authentication/Policy
https://security.archlinux.org/CVE-2019-10691