Arch Linux 804 Published by

The following updates has been released for Arch Linux:

ASA-201903-2: openssl-1.0: information disclosure
ASA-201903-3: gdm: access restriction bypass
ASA-201903-4: pcre: denial of service
ASA-201903-5: file: multiple issues
ASA-201903-6: lib32-openssl-1.0: information disclosure



ASA-201903-2: openssl-1.0: information disclosure

Arch Linux Security Advisory ASA-201903-2
=========================================

Severity: Medium
Date : 2019-03-02
CVE-ID : CVE-2019-1559
Package : openssl-1.0
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-917

Summary
=======

The package openssl-1.0 before version 1.0.2.r-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 1.0.2.r-1.

# pacman -Syu "openssl-1.0>=1.0.2.r-1"

The problem has been fixed upstream in version 1.0.2.r.

Workaround
==========

None.

Description
===========

A padding oracle has been found in OpenSSL versions prior to 1.0.2r.
This issue does not impact OpenSSL 1.1.1 or 1.1.0. If an application
encounters a fatal protocol error and then calls SSL_shutdown() twice
(once to send a close_notify, and once to receive one) then OpenSSL can
respond differently to the calling application if a 0 byte record is
received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves
differently based on that in a way that is detectable to the remote
peer, then this amounts to a padding oracle that could be used to
decrypt data.
In order for this to be exploitable "non-stitched" ciphersuites must be
in use. Stitched ciphersuites are optimised implementations of certain
commonly used ciphersuites. Also the application must call
SSL_shutdown() twice even if a protocol error has occurred
(applications should not do this but some do anyway). AEAD ciphersuites
are not impacted.

Impact
======

A remote attacker might be able to use a padding oracle to decrypt
confidential data.

References
==========

https://www.openssl.org/news/secadv/20190226.txt
https://security.archlinux.org/CVE-2019-1559


ASA-201903-3: gdm: access restriction bypass

Arch Linux Security Advisory ASA-201903-3
=========================================

Severity: High
Date : 2019-03-03
CVE-ID : CVE-2019-3820 CVE-2019-3825
Package : gdm
Type : access restriction bypass
Remote : No
Link : https://security.archlinux.org/AVG-879

Summary
=======

The package gdm before version 3.30.3-1 is vulnerable to access
restriction bypass.

Resolution
==========

Upgrade to 3.30.3-1.

# pacman -Syu "gdm>=3.30.3-1"

The problems have been fixed upstream in version 3.30.3.

Workaround
==========

None.

Description
===========

- CVE-2019-3820 (access restriction bypass)

A partial screen lock bypass via keybindings has been found in gdm