Arch Linux 749 Published by

The following security updates has been released for Arch Linux:

ASA-201908-9: libreoffice-still: multiple issues
ASA-201908-10: subversion: denial of service
ASA-201908-11: firefox: information disclosure
ASA-201908-12: nginx-mainline: denial of service
ASA-201908-13: nginx: denial of service



ASA-201908-9: libreoffice-still: multiple issues

Arch Linux Security Advisory ASA-201908-9
=========================================

Severity: High
Date : 2019-08-16
CVE-ID : CVE-2019-9848 CVE-2019-9849
Package : libreoffice-still
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1010

Summary
=======

The package libreoffice-still before version 6.2.6-1 is vulnerable to
multiple issues including arbitrary command execution and information
disclosure.

Resolution
==========

Upgrade to 6.2.6-1.

# pacman -Syu "libreoffice-still>=6.2.6-1"

The problems have been fixed upstream in version 6.2.6.

Workaround
==========

None.

Description
===========

- CVE-2019-9848 (arbitrary command execution)

An issue has been found in LibreOffice before 6.2.5, where documents
can specify that pre-installed scripts can be executed on various
document events such as mouse-over, etc. LibreOffice is typically also
bundled with LibreLogo, a programmable turtle vector graphics script,
which can be manipulated into executing arbitrary python commands. By
using the document event feature to trigger LibreLogo to execute python
contained within a document a malicious document could be constructed
which would execute arbitrary python commands silently without warning.
In the fixed versions, LibreLogo cannot be called from a document event
handler.

- CVE-2019-9849 (information disclosure)

LibreOffice has a 'stealth mode' in which only documents from locations
deemed 'trusted' are allowed to retrieve remote resources. This mode is
not the default mode, but can be enabled by users who want to disable
LibreOffice's ability to include remote resources within a document. A
flaw existed where bullet graphics were omitted from this protection
prior to version 6.2.5.

Impact
======

A remote attacker is able to execute arbitrary commands via a specially
crafted document or disclose bullet graphics from locations which
should be hidden when 'stealth mode' is enabled.

References
==========

https://security.archlinux.org/CVE-2019-9848
https://security.archlinux.org/CVE-2019-9849
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848
https://github.com/LibreOffice/core/commit/5d47b7b3f6a134037f1f3d8c018505244d7be484
https://github.com/LibreOffice/core/commit/3dd024a28a98a9d4b4efc3c7ec6acaa94d2b25fd
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849
https://security.archlinux.org/CVE-2019-9848
https://security.archlinux.org/CVE-2019-9849


ASA-201908-10: subversion: denial of service

Arch Linux Security Advisory ASA-201908-10
==========================================

Severity: High
Date : 2019-08-16
CVE-ID : CVE-2018-11782 CVE-2019-0203
Package : subversion
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1016

Summary
=======

The package subversion before version 1.12.2-1 is vulnerable to denial
of service.

Resolution
==========

Upgrade to 1.12.2-1.

# pacman -Syu "subversion>=1.12.2-1"

The problems have been fixed upstream in version 1.12.2.

Workaround
==========

None.

Description
===========

- CVE-2018-11782 (denial of service)

Subversion svn:// connections, including svn+ssh:// and
svn+://, use a custom network protocol [1] with Lisp-like
syntax. The code implementing the protocol has dedicated codepaths for
serialization of revision numbers into protocol integers. A particular
client query could cause the server to attempt to reply with a revision
number whose value is the invalid revision number constant
`SVN_INVALID_REVNUM`, thereby triggering an assertion failure in the
the serialization layer.

- CVE-2019-0203 (denial of service)

A null-pointer-dereference has been found in svnserve that results in a
remote unauthenticated Denial-of-Service in some server configurations.
The vulnerability can be triggered by an unauthenticated user if the
server is configured with anonymous access enabled.

Impact
======

A remote attacker is able to cause a denial of service by sending a
special packet.

References
==========

http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt
https://security.archlinux.org/CVE-2018-11782
https://security.archlinux.org/CVE-2019-0203


ASA-201908-11: firefox: information disclosure

Arch Linux Security Advisory ASA-201908-11
==========================================

Severity: Medium
Date : 2019-08-16
CVE-ID : CVE-2019-11733
Package : firefox
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-1025

Summary
=======

The package firefox before version 68.0.2-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 68.0.2-1.

# pacman -Syu "firefox>=68.0.2-1"

The problem has been fixed upstream in version 68.0.2.

Workaround
==========

None.

Description
===========

An issue has been found in Firefox before 68.0.2. When a master
password is set, it is required to be entered before stored passwords
can be accessed in the 'Saved Logins' dialog. It was found that locally
stored passwords can be copied to the clipboard through the 'copy
password' context menu item without first entering the master password,
allowing for potential theft of stored passwords.

Impact
======

A local attacker is able to obtain stored passwords without first
entering the master password leading to information disclosure.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/#CVE-2019-11733
https://bugzilla.mozilla.org/show_bug.cgi?id=1565780
https://security.archlinux.org/CVE-2019-11733


ASA-201908-12: nginx-mainline: denial of service

Arch Linux Security Advisory ASA-201908-12
==========================================

Severity: Medium
Date : 2019-08-16
CVE-ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9516
Package : nginx-mainline
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1022

Summary
=======

The package nginx-mainline before version 1.17.3-1 is vulnerable to
denial of service.

Resolution
==========

Upgrade to 1.17.3-1.

# pacman -Syu "nginx-mainline>=1.17.3-1"

The problems have been fixed upstream in version 1.17.3.

Workaround
==========

Disable http/2 support.

Description
===========

- CVE-2019-9511 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker requests a large amount of data from a specified resource over
multiple streams. They manipulate window size and stream priority to
force the server to queue the data in 1-byte chunks. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.

- CVE-2019-9513 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker creates multiple request streams and continually shuffles the
priority of the streams in a way that causes substantial churn to the
priority tree. This can consume excess CPU, potentially leading to a
denial of service.

- CVE-2019-9516 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker sends a stream of headers with a 0-length header name and
0-length header value, optionally Huffman encoded into 1-byte or
greater headers. Some implementations allocate memory for these headers
and keep the allocation alive until the session dies. This can consume
excess memory, potentially leading to a denial of service.

Impact
======

A remote attacker is able cause a denial of service by sending a
specially crafted packet.

References
==========

https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089
https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f
https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89
https://security.archlinux.org/CVE-2019-9511
https://security.archlinux.org/CVE-2019-9513
https://security.archlinux.org/CVE-2019-9516


ASA-201908-13: nginx: denial of service

Arch Linux Security Advisory ASA-201908-13
==========================================

Severity: Medium
Date : 2019-08-16
CVE-ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9516
Package : nginx
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1023

Summary
=======

The package nginx before version 1.16.1-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 1.16.1-1.

# pacman -Syu "nginx>=1.16.1-1"

The problems have been fixed upstream in version 1.16.1.

Workaround
==========

Disable http/2 support.

Description
===========

- CVE-2019-9511 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker requests a large amount of data from a specified resource over
multiple streams. They manipulate window size and stream priority to
force the server to queue the data in 1-byte chunks. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.

- CVE-2019-9513 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker creates multiple request streams and continually shuffles the
priority of the streams in a way that causes substantial churn to the
priority tree. This can consume excess CPU, potentially leading to a
denial of service.

- CVE-2019-9516 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker sends a stream of headers with a 0-length header name and
0-length header value, optionally Huffman encoded into 1-byte or
greater headers. Some implementations allocate memory for these headers
and keep the allocation alive until the session dies. This can consume
excess memory, potentially leading to a denial of service.

Impact
======

A remote attacker is able cause a denial of service by sending a
specially crafted packet.

References
==========

https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089
https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f
https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89
https://security.archlinux.org/CVE-2019-9511
https://security.archlinux.org/CVE-2019-9513
https://security.archlinux.org/CVE-2019-9516