Arch Linux 749 Published by

The following security updates are available for Arch Linux:

ASA-201903-11: firefox: multiple issues
ASA-201903-12: libssh2: multiple issues
ASA-201903-13: powerdns: insufficient validation



ASA-201903-11: firefox: multiple issues

Arch Linux Security Advisory ASA-201903-11
==========================================

Severity: Critical
Date : 2019-03-22
CVE-ID : CVE-2019-9788 CVE-2019-9789 CVE-2019-9790 CVE-2019-9791
CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796
CVE-2019-9797 CVE-2019-9799 CVE-2019-9802 CVE-2019-9803
CVE-2019-9805 CVE-2019-9806 CVE-2019-9807 CVE-2019-9808
CVE-2019-9809
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-925

Summary
=======

The package firefox before version 66.0-1 is vulnerable to multiple
issues including arbitrary code execution, information disclosure,
same-origin policy bypass, access restriction bypass, content spoofing
and denial of service.

Resolution
==========

Upgrade to 66.0-1.

# pacman -Syu "firefox>=66.0-1"

The problems have been fixed upstream in version 66.0.

Workaround
==========

None.

Description
===========

- CVE-2019-9788 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 66.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-9789 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 66.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-9790 (arbitrary code execution)

A use-after-free vulnerability can occur in Firefox before 66.0 when a
raw pointer to a DOM element on a page is obtained using JavaScript and
the element is then removed while still in use. This results in a
potentially exploitable crash.

- CVE-2019-9791 (arbitrary code execution)

The type inference system in Firefox before 66.0 allows the compilation
of functions that can cause type confusions between arbitrary objects
when compiled through the IonMonkey just-in-time (JIT) compiler and
when the constructor function is entered through on-stack replacement
(OSR). This allows for possible arbitrary reading and writing of
objects during an exploitable crash.

- CVE-2019-9792 (arbitrary code execution)

The IonMonkey just-in-time (JIT) compiler in Firefox before 66.0 can
leak an internal JS_OPTIMIZED_OUT magic value to the running script
during a bailout. This magic value can then be used by JavaScript to
achieve memory corruption, which results in a potentially exploitable
crash.

- CVE-2019-9793 (arbitrary code execution)

A mechanism was discovered in Firefox before 66.0 that removes some
bounds checking for string, array, or typed array accesses if Spectre
mitigations have been disabled. This vulnerability could allow an
attacker to create an arbitrary value in compiled JavaScript, for which
the range analysis will infer a fully controlled, incorrect range in
circumstances where users have explicitly disabled Spectre mitigations.
Note that Spectre mitigations are currently enabled for all users by
default settings.

- CVE-2019-9795 (arbitrary code execution)

A vulnerability has been found in Firefox before 66.0; where type-
confusion in the IonMonkey just-in-time (JIT) compiler could
potentially be used by malicious JavaScript to trigger a potentially
exploitable crash.

- CVE-2019-9796 (arbitrary code execution)

A use-after-free vulnerability can occur in Firefox before 66.0 when
the SMIL animation controller incorrectly registers with the refresh
driver twice when only a single registration is expected. When a
registration is later freed with the removal of the animation
controller element, the refresh driver incorrectly leaves a dangling
pointer to the driver's observer array.

- CVE-2019-9797 (same-origin policy bypass)

Cross-origin images can be read in violation of the same-origin policy,
in Firefox before 66.0, by exporting an image after using
createImageBitmap to read the image and then rendering the resulting
bitmap image within a canvas element.

- CVE-2019-9799 (information disclosure)

Insufficient bounds checking of data during inter-process communication
in Firefox before 66.0 might allow a compromised content process to be
able to read memory from the parent process under certain conditions.

- CVE-2019-9802 (information disclosure)

If a Sandbox content process is compromised in Firefox before 66.0, it
can initiate an FTP download which will then use a child process to
render the downloaded data. The downloaded data can then be passed to
the Chrome process with an arbitrary file length supplied by an
attacker, bypassing sandbox protections and allow for a potential
memory read of adjacent data from the privileged Chrome process, which
may include sensitive data.

- CVE-2019-9803 (access restriction bypass)

The Upgrade-Insecure-Requests (UIR) specification states that if UIR is
enabled through Content Security Policy (CSP), navigation to a same-
origin URL must be upgraded to HTTPS. Firefox before 66.0 will
incorrectly navigate to an HTTP URL rather than perform the security
upgrade requested by the CSP in some circumstances, allowing for
potential man-in-the-middle attacks on the linked resources.

- CVE-2019-9805 (information disclosure)

A latent vulnerability exists in the Prio library in Firefox before
66.0 where data may be read from uninitialized memory for some
functions, leading to potential memory corruption.

- CVE-2019-9806 (denial of service)

A vulnerability exists in Firefox before 66.0 during authorization
prompting for FTP transaction where successive modal prompts are
displayed and cannot be immediately dismissed. This allows for a denial
of service (DOS) attack.

- CVE-2019-9807 (content spoofing)

When arbitrary text is sent over an FTP connection and a page reload is
initiated in Firefox before 66.0, it is possible to create a modal
alert message with this text as the content. This could potentially be
used for social engineering attacks.

- CVE-2019-9808 (content spoofing)

If WebRTC permission is requested from documents with data: or blob:
URLs in Firefox before 66.0, the permission notifications do not
properly display the originating domain. The notification states
"Unknown origin" as the requestee, leading to user confusion about
which site is asking for this permission.

- CVE-2019-9809 (denial of service)

If the source for resources on a page is through an FTP connection in
Firefox before 66.0, it is possible to trigger a series of modal alert
messages for these resources through invalid credentials or locations.
These messages cannot be immediately dismissed, allowing for a denial
of service (DOS) attack.

Impact
======

A remote attacker might be able to spoof origin of a permission
request, bypass security measures, access sensitive information, crash
the browser or execute arbitrary code.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9788
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1518001%2C1521304%2C1521214%2C1506665%2C1516834%2C1518774%2C1524755%2C1523362%2C1524214%2C1529203
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9789
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1520483%2C1522987%2C1528199%2C1519337%2C1525549%2C1516179%2C1518524%2C1518331%2C1526579%2C1512567%2C1524335%2C1448505%2C1518821
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9790
https://bugzilla.mozilla.org/show_bug.cgi?id=1525145
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9791
https://bugzilla.mozilla.org/show_bug.cgi?id=1530958
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9792
https://bugzilla.mozilla.org/show_bug.cgi?id=1532599
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9793
https://bugzilla.mozilla.org/show_bug.cgi?id=1528829
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9795
https://bugzilla.mozilla.org/show_bug.cgi?id=1514682
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9796
https://bugzilla.mozilla.org/show_bug.cgi?id=1531277
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9797
https://bugzilla.mozilla.org/show_bug.cgi?id=1528909
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9799
https://bugzilla.mozilla.org/show_bug.cgi?id=1505678
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9802
https://bugzilla.mozilla.org/show_bug.cgi?id=1415508
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9803
https://bugzilla.mozilla.org/show_bug.cgi?id=1515863
https://bugzilla.mozilla.org/show_bug.cgi?id=1437009
https://w3c.github.io/webappsec-upgrade-insecure-requests/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9805
https://bugzilla.mozilla.org/show_bug.cgi?id=1521360
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9806
https://bugzilla.mozilla.org/show_bug.cgi?id=1525267
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9807
https://bugzilla.mozilla.org/show_bug.cgi?id=1362050
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9808
https://bugzilla.mozilla.org/show_bug.cgi?id=1434634
https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9809
https://bugzilla.mozilla.org/show_bug.cgi?id=1282430
https://bugzilla.mozilla.org/show_bug.cgi?id=1523249
https://security.archlinux.org/CVE-2019-9788
https://security.archlinux.org/CVE-2019-9789
https://security.archlinux.org/CVE-2019-9790
https://security.archlinux.org/CVE-2019-9791
https://security.archlinux.org/CVE-2019-9792
https://security.archlinux.org/CVE-2019-9793
https://security.archlinux.org/CVE-2019-9795
https://security.archlinux.org/CVE-2019-9796
https://security.archlinux.org/CVE-2019-9797
https://security.archlinux.org/CVE-2019-9799
https://security.archlinux.org/CVE-2019-9802
https://security.archlinux.org/CVE-2019-9803
https://security.archlinux.org/CVE-2019-9805
https://security.archlinux.org/CVE-2019-9806
https://security.archlinux.org/CVE-2019-9807
https://security.archlinux.org/CVE-2019-9808
https://security.archlinux.org/CVE-2019-9809


ASA-201903-12: libssh2: multiple issues

Arch Linux Security Advisory ASA-201903-12
==========================================

Severity: Critical
Date : 2019-03-22
CVE-ID : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858
CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862
CVE-2019-3863
Package : libssh2
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-926

Summary
=======

The package libssh2 before version 1.8.1-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
==========

Upgrade to 1.8.1-1.

# pacman -Syu "libssh2>=1.8.1-1"

The problems have been fixed upstream in version 1.8.1.

Workaround
==========

None.

Description
===========

- CVE-2019-3855 (arbitrary code execution)

A out-of-bounds write has been found in libssh2 before 1.8.1, where a
malicious server could send a specially crafted packet which could
result in an unchecked integer overflow. The value would then be used
to allocate memory causing a possible memory write out of bounds error.

- CVE-2019-3856 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a value approaching unsigned int max number of keyboard prompt
requests which could result in an unchecked integer overflow. The value
would then be used to allocate memory causing a possible memory write
out of bounds error.

- CVE-2019-3857 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with
a length of max unsigned integer value. The length would then have a
value of 1 added to it and used to allocate memory causing a possible
memory write out of bounds error or zero byte allocation.

- CVE-2019-3858 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial SFTP packet with a zero value for the
payload length. This zero value would be used to then allocate memory
resulting in a zero byte allocation and possible out of bounds read.

- CVE-2019-3859 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial packet in response to various commands
such as: sha1 and sha226 key exchange, user auth list, user auth
password response, public key auth response, channel
startup/open/forward/ setenv/request pty/x11 and session start up. The
result would be a memory out of bounds read.

- CVE-2019-3860 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial SFTP packet with a empty payload in
response to various SFTP commands such as read directory, file status,
status vfs and symlink. The result would be a memory out of bounds
read.

- CVE-2019-3861 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted SSH packet with a padding length value greater
than the packet length. This would result in a buffer read out of
bounds when decompressing the packet or result in a corrupted packet
value.

- CVE-2019-3862 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit
status message and no payload. This would result in an out of bounds
memory comparison.

- CVE-2019-3863 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a multiple keyboard interactive response messages whose total
length are greater than unsigned char max characters. This value is
used as an index to copy memory causing in an out of bounds memory
write error.

Impact
======

A malicious server could access sensitive information or execute
arbitrary code on a vulnerable client.

References
==========

https://www.libssh2.org/mail/libssh2-devel-archive-2019-03/0009.shtml
https://www.libssh2.org/CVE-2019-3855.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
https://www.libssh2.org/CVE-2019-3856.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
https://www.libssh2.org/CVE-2019-3857.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
https://www.libssh2.org/CVE-2019-3858.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
https://www.libssh2.org/CVE-2019-3859.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch
https://www.libssh2.org/CVE-2019-3860.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch
https://www.libssh2.org/CVE-2019-3861.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
https://www.libssh2.org/CVE-2019-3862.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
https://www.libssh2.org/CVE-2019-3863.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
https://security.archlinux.org/CVE-2019-3855
https://security.archlinux.org/CVE-2019-3856
https://security.archlinux.org/CVE-2019-3857
https://security.archlinux.org/CVE-2019-3858
https://security.archlinux.org/CVE-2019-3859
https://security.archlinux.org/CVE-2019-3860
https://security.archlinux.org/CVE-2019-3861
https://security.archlinux.org/CVE-2019-3862
https://security.archlinux.org/CVE-2019-3863

ASA-201903-13: powerdns: insufficient validation

Arch Linux Security Advisory ASA-201903-13
==========================================

Severity: High
Date : 2019-03-22
CVE-ID : CVE-2019-3871
Package : powerdns
Type : insufficient validation
Remote : Yes
Link : https://security.archlinux.org/AVG-927

Summary
=======

The package powerdns before version 4.1.7-1 is vulnerable to
insufficient validation.

Resolution
==========

Upgrade to 4.1.7-1.

# pacman -Syu "powerdns>=4.1.7-1"

The problem has been fixed upstream in version 4.1.7.

Workaround
==========

None.

Description
===========

An issue has been found in PowerDNS Authoritative Server before 4.1.7,
when the HTTP remote backend is used in RESTful mode (without post=1
set), allowing a remote user to cause the HTTP backend to connect to an
attacker-specified host instead of the configured one, via a crafted
DNS query. This can be used to cause a denial of service by preventing
the remote backend from getting a response, content spoofing if the
attacker can time its own query so that subsequent queries will use an
attacker-controlled HTTP server instead of the configured one, and
possibly information disclosure if the Authoritative Server has access
to internal servers.

Impact
======

A remote user can cause a denial of service by preventing the remote
backend from getting a response, content spoofing if the attacker can
time its own query so that subsequent queries will use an attacker-
controlled HTTP server instead of the configured one, and possibly
information disclosure if the Authoritative Server has access to
internal servers.

References
==========

https://seclists.org/oss-sec/2019/q1/185
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
https://github.com/PowerDNS/pdns/issues/7573
https://github.com/PowerDNS/pdns/pull/7577
https://security.archlinux.org/CVE-2019-3871