OpenSSL, GDM, Pcre, File, Lib32-OpenSSL Updates for Arch Linux
Posted on: 03/05/2019 08:19 AM

The following updates has been released for Arch Linux:

ASA-201903-2: openssl-1.0: information disclosure
ASA-201903-3: gdm: access restriction bypass
ASA-201903-4: pcre: denial of service
ASA-201903-5: file: multiple issues
ASA-201903-6: lib32-openssl-1.0: information disclosure

ASA-201903-2: openssl-1.0: information disclosure
Arch Linux Security Advisory ASA-201903-2
=========================================

Severity: Medium
Date : 2019-03-02
CVE-ID : CVE-2019-1559
Package : openssl-1.0
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-917

Summary
=======

The package openssl-1.0 before version 1.0.2.r-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 1.0.2.r-1.

# pacman -Syu "openssl-1.0>=1.0.2.r-1"

The problem has been fixed upstream in version 1.0.2.r.

Workaround
==========

None.

Description
===========

A padding oracle has been found in OpenSSL versions prior to 1.0.2r.
This issue does not impact OpenSSL 1.1.1 or 1.1.0. If an application
encounters a fatal protocol error and then calls SSL_shutdown() twice
(once to send a close_notify, and once to receive one) then OpenSSL can
respond differently to the calling application if a 0 byte record is
received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves
differently based on that in a way that is detectable to the remote
peer, then this amounts to a padding oracle that could be used to
decrypt data.
In order for this to be exploitable "non-stitched" ciphersuites must be
in use. Stitched ciphersuites are optimised implementations of certain
commonly used ciphersuites. Also the application must call
SSL_shutdown() twice even if a protocol error has occurred
(applications should not do this but some do anyway). AEAD ciphersuites
are not impacted.

Impact
======

A remote attacker might be able to use a padding oracle to decrypt
confidential data.

References
==========

https://www.openssl.org/news/secadv/20190226.txt
https://security.archlinux.org/CVE-2019-1559



ASA-201903-3: gdm: access restriction bypass
Arch Linux Security Advisory ASA-201903-3
=========================================

Severity: High
Date : 2019-03-03
CVE-ID : CVE-2019-3820 CVE-2019-3825
Package : gdm
Type : access restriction bypass
Remote : No
Link : https://security.archlinux.org/AVG-879

Summary
=======

The package gdm before version 3.30.3-1 is vulnerable to access
restriction bypass.

Resolution
==========

Upgrade to 3.30.3-1.

# pacman -Syu "gdm>=3.30.3-1"

The problems have been fixed upstream in version 3.30.3.

Workaround
==========

None.

Description
===========

- CVE-2019-3820 (access restriction bypass)

A partial screen lock bypass via keybindings has been found in gdm <=
3.30.2, allowing a local attacker to unlock a session under certain
circumstances.

- CVE-2019-3825 (access restriction bypass)

An issue has been found in gdm <= 3.30.2, allowing a local attacker
with valid credentials to unlock the session for a different user than
their own.

Impact
======

A local attacker can unlock session if they have other valid
credentials, or under certain circumstances.

References
==========

https://gitlab.gnome.org/GNOME/gnome-shell/issues/851
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825
https://gitlab.gnome.org/GNOME/gdm/issues/460
https://security.archlinux.org/CVE-2019-3820
https://security.archlinux.org/CVE-2019-3825



ASA-201903-4: pcre: denial of service
Arch Linux Security Advisory ASA-201903-4
=========================================

Severity: Low
Date : 2019-03-03
CVE-ID : CVE-2017-11164
Package : pcre
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-351

Summary
=======

The package pcre before version 8.43-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 8.43-1.

# pacman -Syu "pcre>=8.43-1"

The problem has been fixed upstream in version 8.43.

Workaround
==========

None.

Description
===========

In PCRE 8.41, the OP_KETRMAX feature in the match function in
pcre_exec.c allows stack exhaustion (uncontrolled recursion) when
processing a crafted regular expression.

Impact
======

A remote attacker can crash the process with a crafted regular
expression.

References
==========

http://seclists.org/oss-sec/2017/q3/111
https://bugzilla.redhat.com/show_bug.cgi?id=1470107
https://security.archlinux.org/CVE-2017-11164



ASA-201903-5: file: multiple issues
Arch Linux Security Advisory ASA-201903-5
=========================================

Severity: High
Date : 2019-03-03
CVE-ID : CVE-2019-8904 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907
Package : file
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-907

Summary
=======

The package file before version 5.36-1 is vulnerable to multiple issues
including information disclosure and denial of service.

Resolution
==========

Upgrade to 5.36-1.

# pacman -Syu "file>=5.36-1"

The problems have been fixed upstream in version 5.36.

Workaround
==========

None.

Description
===========

- CVE-2019-8904 (information disclosure)

do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based
buffer over-read, related to file_printf and file_vprintf.

- CVE-2019-8905 (information disclosure)

do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based
buffer over-read, related to file_printable, a different vulnerability
than CVE-2018-10360.

- CVE-2019-8906 (information disclosure)

do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-
bounds read because memcpy is misused.

- CVE-2019-8907 (denial of service)

do_core_note in readelf.c in libmagic.a in file 5.35 allows remote
attackers to cause a denial of service (stack corruption and
application crash) or possibly have unspecified other impact.

Impact
======

A remote attack is able to display sensitive information within the
file process or cause a crash via a crafted ELF file.

References
==========

https://bugs.astron.com/view.php?id=62
https://bugs.astron.com/view.php?id=63
https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f
https://bugs.astron.com/view.php?id=64
https://bugs.astron.com/view.php?id=65
https://security.archlinux.org/CVE-2019-8904
https://security.archlinux.org/CVE-2019-8905
https://security.archlinux.org/CVE-2019-8906
https://security.archlinux.org/CVE-2019-8907



ASA-201903-6: lib32-openssl-1.0: information disclosure
Arch Linux Security Advisory ASA-201903-6
=========================================

Severity: Medium
Date : 2019-03-03
CVE-ID : CVE-2019-1559
Package : lib32-openssl-1.0
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-918

Summary
=======

The package lib32-openssl-1.0 before version 1.0.2.r-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 1.0.2.r-1.

# pacman -Syu "lib32-openssl-1.0>=1.0.2.r-1"

The problem has been fixed upstream in version 1.0.2.r.

Workaround
==========

None.

Description
===========

A padding oracle has been found in OpenSSL versions prior to 1.0.2r.
This issue does not impact OpenSSL 1.1.1 or 1.1.0. If an application
encounters a fatal protocol error and then calls SSL_shutdown() twice
(once to send a close_notify, and once to receive one) then OpenSSL can
respond differently to the calling application if a 0 byte record is
received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves
differently based on that in a way that is detectable to the remote
peer, then this amounts to a padding oracle that could be used to
decrypt data.
In order for this to be exploitable "non-stitched" ciphersuites must be
in use. Stitched ciphersuites are optimised implementations of certain
commonly used ciphersuites. Also the application must call
SSL_shutdown() twice even if a protocol error has occurred
(applications should not do this but some do anyway). AEAD ciphersuites
are not impacted.

Impact
======

A remote attacker might be able to use a padding oracle to decrypt
confidential data.

References
==========

https://www.openssl.org/news/secadv/20190226.txt
https://security.archlinux.org/CVE-2019-1559






Printed from Linux Compatible (https://www.linuxcompatible.org/news/story/opensslgdmpcrefilelib32_openssl_updates_for_arch_linux.html)