Gentoo 2478 Published by

The following security updates are available for Gentoo Linux:

GLSA 201804-16 : ClamAV: Multiple vulnerabilities
GLSA 201804-17 : Quagga: Multiple vulnerabilities
GLSA 201804-18 : tenshi: Privilege escalation
GLSA 201804-19 : mbed TLS: Multiple vulnerabilites
GLSA 201804-20 : unADF: Remote code execution
GLSA 201804-21 : librelp: Remote code execution



GLSA 201804-16 : ClamAV: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ClamAV: Multiple vulnerabilities
Date: April 22, 2018
Bugs: #623534, #625632, #628686, #628690, #649314
ID: 201804-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in ClamAV, the worst of which
may allow remote attackers to execute arbitrary code.

Background
==========

ClamAV is a GPL virus scanner.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-antivirus/clamav < 0.99.4 >= 0.99.4

Description
===========

Multiple vulnerabilities have been discovered in ClamAV. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker, through multiple vectors, could execute arbitrary
code, cause a Denial of Service condition, or have other unspecified
impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ClamAV users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.99.4"

References
==========

[ 1 ] CVE-2012-6706
https://nvd.nist.gov/vuln/detail/CVE-2012-6706
[ 2 ] CVE-2017-11423
https://nvd.nist.gov/vuln/detail/CVE-2017-11423
[ 3 ] CVE-2017-6418
https://nvd.nist.gov/vuln/detail/CVE-2017-6418
[ 4 ] CVE-2017-6419
https://nvd.nist.gov/vuln/detail/CVE-2017-6419
[ 5 ] CVE-2017-6420
https://nvd.nist.gov/vuln/detail/CVE-2017-6420
[ 6 ] CVE-2018-0202
https://nvd.nist.gov/vuln/detail/CVE-2018-0202
[ 7 ] CVE-2018-1000085
https://nvd.nist.gov/vuln/detail/CVE-2018-1000085

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-16

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-17 : Quagga: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Quagga: Multiple vulnerabilities
Date: April 22, 2018
Bugs: #647788
ID: 201804-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Quagga, the worst of which
could allow remote attackers to execute arbitrary code.

Background
==========

Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF
and BGP.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/quagga < 1.2.4 >= 1.2.4

Description
===========

Multiple vulnerabilities have been discovered in Quagga. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker, by sending specially crafted packets, could execute
arbitrary code or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Quagga users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/quagga-1.2.4"

References
==========

[ 1 ] CVE-2018-5378
https://nvd.nist.gov/vuln/detail/CVE-2018-5378
[ 2 ] CVE-2018-5379
https://nvd.nist.gov/vuln/detail/CVE-2018-5379
[ 3 ] CVE-2018-5380
https://nvd.nist.gov/vuln/detail/CVE-2018-5380
[ 4 ] CVE-2018-5381
https://nvd.nist.gov/vuln/detail/CVE-2018-5381

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-17

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-18 : tenshi: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: tenshi: Privilege escalation
Date: April 22, 2018
Bugs: #626654
ID: 201804-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Gentoo's tenshi ebuild is vulnerable to privilege escalation due to the
way pid files are handled.

Background
==========

A log monitoring program, designed to watch one or more log files for
lines matching user defined regular expressions and report on the
matches.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/tenshi < 0.17 >= 0.17

Description
===========

It was discovered that the tenshi ebuild creates a tenshi.pid file
after dropping privileges to a non-root account.

Impact
======

A local attacker could escalate privileges to root or kill arbitrary
processes.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All tenshi users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/tenshi-0.17"

References
==========

[ 1 ] CVE-2017-11746
https://nvd.nist.gov/vuln/detail/CVE-2017-11746

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-18

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-19 : mbed TLS: Multiple vulnerabilites

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: mbed TLS: Multiple vulnerabilites
Date: April 22, 2018
Bugs: #647800
ID: 201804-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in mbed TLS, the worst of
which could allow remote attackers to execute arbitrary code.

Background
==========

mbed TLS (previously PolarSSL) is an “easy to understand, use,
integrate and expand” implementation of the TLS and SSL protocols and
the respective cryptographic algorithms and support code required.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/mbedtls < 2.7.2 >= 2.7.2

Description
===========

Multiple vulnerabilities have been discovered in mbed TLS. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker, through multiple vectors, could possibly execute
arbitrary code with the privileges of the process or cause a Denial of
Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mbed TLS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.7.2"

References
==========

[ 1 ] CVE-2017-18187
https://nvd.nist.gov/vuln/detail/CVE-2017-18187
[ 2 ] CVE-2018-0487
https://nvd.nist.gov/vuln/detail/CVE-2018-0487
[ 3 ] CVE-2018-0488
https://nvd.nist.gov/vuln/detail/CVE-2018-0488

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-19

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-20 : unADF: Remote code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: unADF: Remote code execution
Date: April 22, 2018
Bugs: #636388
ID: 201804-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in unADF that may allow a
remote attacker to execute arbitrary code.

Background
==========

An unzip like for .ADF files.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-arch/unadf < 0.7.12-r1 >= 0.7.12-r1

Description
===========

Multiple vulnerabilities were discovered in unADF that can lead to
remote code execution. Please review the CVE identifiers referenced
below for details.

Impact
======

A remote attacker, by enticing a user to process a specially crafted
file, could execute arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All unADF users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/unadf-0.7.12-r1"

References
==========

[ 1 ] CVE-2016-1243
https://nvd.nist.gov/vuln/detail/CVE-2016-1243
[ 2 ] CVE-2016-1244
https://nvd.nist.gov/vuln/detail/CVE-2016-1244

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-20

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-21 : librelp: Remote code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: librelp: Remote code execution
Date: April 22, 2018
Bugs: #651192
ID: 201804-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been found in librelp that may allow a remote
attacker to execute arbitrary code.

Background
==========

A reliable logging program.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/librelp < 1.2.15 >= 1.2.15

Description
===========

A buffer overflow was discovered in librelp with the handling of x509
certificates.

Impact
======

A remote attacker, by sending a specially crafted x509 certificate,
could execute arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All librelp users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/librelp-1.2.15"

References
==========

[ 1 ] CVE-2018-1000140
https://nvd.nist.gov/vuln/detail/CVE-2018-1000140

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-21

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5