Security failure of Death

linuxislife · March 9, 2024, 7:03pm

$ arch-audit -c
minizip is affected by arbitrary code execution. (CVE-2023-45853). Critical risk!
grub is affected by multiple issues. (CVE-2022-28737, CVE-2022-28736, CVE-2022-28735, CVE-2022-28734, CVE-2022-28733, CVE-2021-3697, CVE-2021-3696, CVE-2021-3695). High risk!
linux-lts is affected by multiple issues, information disclosure. (CVE-2022-28390, CVE-2022-28389, CVE-2022-28388, CVE-2022-27666, CVE-2022-26490, CVE-2022-1516, CVE-2022-1353, CVE-2022-1205, CVE-2022-1204, CVE-2022-1199, CVE-2022-1198, CVE-2022-1195, CVE-2022-1158, CVE-2022-1048, CVE-2022-1016, CVE-2022-1015, CVE-2022-0168, CVE-2021-44879, CVE-2021-4197, CVE-2022-0002, CVE-2022-0001). High risk!
edk2-shell is affected by certificate verification bypass. (CVE-2019-14560). Medium risk!
giflib is affected by information disclosure. (CVE-2020-23922). Medium risk!
libheif is affected by information disclosure. (CVE-2020-23109). Medium risk!
libtiff is affected by unknown, denial of service. (CVE-2022-48281, CVE-2022-3970, CVE-2022-3627, CVE-2022-3599, CVE-2022-3597, CVE-2022-3570, CVE-2022-34526, CVE-2022-2953, CVE-2022-2869, CVE-2022-2868, CVE-2022-2867, CVE-2022-2521, CVE-2022-2520, CVE-2022-2519, CVE-2022-2058, CVE-2022-2057, CVE-2022-2056, CVE-2022-1623, CVE-2022-1622, CVE-2022-1355, CVE-2022-1354). Medium risk!
linux is affected by multiple issues, insufficient validation. (CVE-2021-43976, CVE-2021-4095, CVE-2021-4028, CVE-2021-3847, CVE-2021-3752, CVE-2021-3669, CVE-2021-31615, CVE-2020-26560, CVE-2020-26559, CVE-2020-26557, CVE-2020-26556, CVE-2020-26555, CVE-2020-35501). Medium risk!
linux-zen is affected by multiple issues. (CVE-2021-43976, CVE-2021-4095, CVE-2021-4028, CVE-2021-3847, CVE-2021-3752, CVE-2021-3669). Medium risk!
openjpeg2 is affected by arbitrary code execution. (CVE-2021-3575). Medium risk!
openssl is affected by arbitrary command execution. (CVE-2022-2068). Medium risk!
openvpn is affected by information disclosure. (CVE-2021-3773). Medium risk!
perl is affected by signature forgery, directory traversal. (CVE-2020-16156, CVE-2021-36770). Medium risk!
wget is affected by information disclosure. (CVE-2021-31879). Medium risk!
xdg-utils is affected by information disclosure. (CVE-2020-27748). Medium risk!
lua51 is affected by denial of service. (CVE-2021-43519, CVE-2014-5461). Low risk!
lua52 is affected by denial of service. (CVE-2021-43519). Low risk!
lua53 is affected by denial of service. (CVE-2021-43519). Low risk!

yay -Qi minizip
Name            : minizip
Version         : 1:1.3.1-1
[...]
Required By     : keepassxc  qt5-webengine  ungoogled-chromium
Optional For    : None
Conflicts With  : None
Replaces        : None
[...]
Install Reason  : Installed as a dependency for another package
[...]

is there anything to do about those (especially the minizip critical risk of Death)?

I suppose not (besides the obvious don’t use any of the programs that require it)

keybreak · March 9, 2024, 7:04pm

Nope, except waiting for updates.

Those guys are likely on it:
https://security.archlinux.org/

P.S. Yep, they are. https://security.archlinux.org/CVE-2023-45853

Required By     : keepassxc

Ooops, yeah not fun.
Still, don’t worry too much…It’s very unlikely you’ll get a virus able to exploit it before fix will come.

linuxislife · March 9, 2024, 7:09pm

I did look at this (https://security.archlinux.org/), so you mean if it’s referenced there it means somebody “cares” ?

(I’m actually more “concerned” with the grub CVE-2022-28734 one which states “remote”… might motivate me to switch from grub at last)

yeah I know that’s kind of why I asked
Couldn’t find anything on THE internet though

keybreak · March 9, 2024, 7:10pm

Yes, that’s exactly what it means - they’re on it.

linuxislife · March 9, 2024, 7:12pm

and there is no alternative to minizip for those programs I assume ? (again couldn’t find anything)

keybreak · March 9, 2024, 7:13pm

On a second thought…

Created Tue Oct 24 14:22:35 2023

(c) https://security.archlinux.org/AVG-2847

Da fuq?!

Maybe it’s not as critical as it’s written
Still it’s on the list of most distros vulnerabilities…

linuxislife · March 9, 2024, 7:14pm

saw that too… hey, I survived that long at least

keybreak · March 9, 2024, 7:24pm

Don’t rush…it seems like fix is already in 1.3.1

github.com/madler/zlib

minizip: Check length of comment, filename, and extra field, in zipOpenNewFileInZip4_64

madler:develop ← zmodem:minizip_fix

opened 09:15AM - 18 Aug 23 UTC

zmodem

+11 -0

These are stored in 16-bit fields in the zip file format. Passing longer values …would generate an invalid file. Passing very long values could also cause the computation of zi->ci.size_centralheader to overflow, which would cause heap buffer overflow on subsequent writes to zi->ci.central_header. This was reported to Chromium in https://crbug.com/1470539, and patched in https://crrev.com/1182507 and https://crrev.com/1182669

@dalto what do you say, is it just Arch security guys forgot to mark it as solved, or i miss something?

dalto · March 9, 2024, 7:32pm

It looks like a version with the fix is in the repos but the CVE hasn’t gone through the re-review process so the CVE is still open.

linuxislife · March 9, 2024, 7:45pm

We’re talking about arch repos, not just github, right? (both I guess…)

From what I see it seems like it anyway…

Thanks a lot guys for your help and clarifications.

keybreak · March 9, 2024, 7:46pm

Both. Arch team just have to double-check it themselves…but it’s likely fixed upstream.

linuxislife · March 9, 2024, 7:48pm

Cheers!

…and let’s not talk about the other ones on the list of my arch-audit

unless there’s anything to say about grub? (well… “move from it already” probably…)