Gentoo 2514 Published by

The following 7 updates has been released for Gentoo Linux:

GLSA 201710-10 : elfutils: Multiple vulnerabilities
GLSA 201710-11 : GNU Libtasn1: Multiple vulnerabilities
GLSA 201710-12 : Puppet Agent: Multiple vulnerabilities
GLSA 201710-13 : Graphite: Multiple vulnerabilities
GLSA 201710-14 : WebKitGTK+: Multiple Vulnerabilities
GLSA 201710-15 : GnuTLS: Denial of Service
GLSA 201710-16 : Shadow: Buffer overflow



GLSA 201710-10 : elfutils: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: elfutils: Multiple vulnerabilities
Date: October 13, 2017
Bugs: #614002, #614004, #618004
ID: 201710-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in elfutils, the worst of
which may allow remote attackers to cause a Denial of Service
condition.

Background
==========

Elfutils provides a library and utilities to access, modify and analyse
ELF objects.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/elfutils < 0.169-r1 >= 0.169-r1

Description
===========

Multiple vulnerabilities have been discovered in elfutils. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker could possibly cause a Denial of Service condition
via specially crafted ELF files.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All elfutils users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/elfutils-0.169-r1"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2016-10254
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10254
[ 2 ] CVE-2016-10255
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10255
[ 3 ] CVE-2017-7607
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7607
[ 4 ] CVE-2017-7608
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7608
[ 5 ] CVE-2017-7609
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7609
[ 6 ] CVE-2017-7610
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7610
[ 7 ] CVE-2017-7611
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7611
[ 8 ] CVE-2017-7612
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7612
[ 9 ] CVE-2017-7613
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7613

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-11 : GNU Libtasn1: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GNU Libtasn1: Multiple vulnerabilities
Date: October 13, 2017
Bugs: #619686, #627014
ID: 201710-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in GNU Libtasn1, the worst of
which may allow remote attackers to execute arbitrary code.

Background
==========

A library that provides Abstract Syntax Notation One (ASN.1, as
specified by the X.680 ITU-T recommendation) parsing and structures
management, and Distinguished Encoding Rules (DER, as per X.690)
encoding and decoding functions.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libtasn1 < 4.12-r1 >= 4.12-r1

Description
===========

Multiple vulnerabilities have been discovered in GNU Libtasn1. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, or have
other unspecified impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GNU Libtasn1 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-4.12-r1"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2017-10790
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10790
[ 2 ] CVE-2017-6891
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6891

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-12 : Puppet Agent: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Puppet Agent: Multiple vulnerabilities
Date: October 13, 2017
Bugs: #597684
ID: 201710-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Puppet Agent, the worst of
which could result in the execution of arbitrary code.

Background
==========

Puppet Agent contains Puppet’s main code and all of the dependencies
needed to run it, including Facter, Hiera, and bundled versions of Ruby
and OpenSSL.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/puppet-agent < 1.7.1 >= 1.7.1

Description
===========

Multiple vulnerabilities have been discovered in Puppet Agent. Please
review the references for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process or obtain sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Puppet Agent users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/puppet-agent-1.7.1"

References
==========

[ 1 ] CVE-2016-5714
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5714
[ 2 ] Puppet Security Advise Oct 2016
https://puppet.com/security/cve/pxp-agent-oct-2016

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-13 : Graphite: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Graphite: Multiple vulnerabilities
Date: October 13, 2017
Bugs: #621724
ID: 201710-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Graphite, the worst of
which could lead to the remote execution of arbitrary code.

Background
==========

Graphite is a “smart font” system developed specifically to handle the
complexities of lesser-known languages of the world.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-gfx/graphite2 < 1.3.10 >= 1.3.10

Description
===========

Multiple vulnerabilities have been discovered in Graphite. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, or have
other unspecified impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Graphite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/graphite2-1.3.10"

References
==========

[ 1 ] CVE-2017-7771
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7771
[ 2 ] CVE-2017-7772
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7772
[ 3 ] CVE-2017-7773
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7773
[ 4 ] CVE-2017-7774
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7774
[ 5 ] CVE-2017-7775
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7775
[ 6 ] CVE-2017-7776
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7776
[ 7 ] CVE-2017-7777
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7777
[ 8 ] CVE-2017-7778
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7778

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-14 : WebKitGTK+: Multiple Vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: WebKitGTK+: Multiple Vulnerabilities
Date: October 13, 2017
Bugs: #626142
ID: 201710-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in WebkitGTK+, the worst of
which may allow remote attackers to execute arbitrary code.

Background
==========

WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, offers
Webkit’s full functionality and is used on a wide range of systems.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.16.6:4 >= 2.16.6:4

Description
===========

Multiple vulnerabilities have been discovered in WebkitGTK+. Please
review the references below for details.

Impact
======

A remote attacker could execute arbitrary code, cause a Denial of
Service condition, bypass intended memory-read restrictions, conduct a
timing side-channel attack to bypass the Same Origin Policy, obtain
sensitive information, or spoof the address bar.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All WebKitGTK+ users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.6"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2017-7006
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7006
[ 2 ] CVE-2017-7011
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7011
[ 3 ] CVE-2017-7012
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7012
[ 4 ] CVE-2017-7018
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7018
[ 5 ] CVE-2017-7019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7019
[ 6 ] CVE-2017-7020
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7020
[ 7 ] CVE-2017-7030
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7030
[ 8 ] CVE-2017-7034
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7034
[ 9 ] CVE-2017-7037
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7037
[ 10 ] CVE-2017-7038
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7038
[ 11 ] CVE-2017-7039
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7039
[ 12 ] CVE-2017-7040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7040
[ 13 ] CVE-2017-7041
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7041
[ 14 ] CVE-2017-7042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7042
[ 15 ] CVE-2017-7043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7043

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-14

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-15 : GnuTLS: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GnuTLS: Denial of Service
Date: October 15, 2017
Bugs: #622038
ID: 201710-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A null pointer dereference in GnuTLS might allow attackers to cause a
Denial of Service condition.

Background
==========

GnuTLS is a secure communications library implementing the SSL, TLS and
DTLS protocols and technologies around them.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/gnutls < 3.5.13 >= 3.5.13

Description
===========

A null pointer dereference while decoding a status response TLS
extension with valid contents was discovered in GnuTLS.

Impact
======

A remote attacker could possibly cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GnuTLS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-3.5.13"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2017-7507
https://nvd.nist.gov/vuln/detail/CVE-2017-7507

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-15

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-16 : Shadow: Buffer overflow

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Shadow: Buffer overflow
Date: October 15, 2017
Bugs: #627044
ID: 201710-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability found in Shadow may allow remote attackers to cause a
Denial of Service condition or produce other unspecified behaviors.

Background
==========

Shadow is a set of tools to deal with user accounts.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/shadow < 4.5 >= 4.5

Description
===========

Malformed input in the newusers tool may produce crashes and other
unspecified behaviors.

Impact
======

A remote attacker could possibly cause a Denial of Service condition or
bypass privilege boundaries in some web-hosting environments in which a
Control Panel allows an unprivileged user account to create
subaccounts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Shadow users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.5"

References
==========

[ 1 ] CVE-2017-12424
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12424

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-16

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5