Outstanding CVEs generated by arch-audit

flamemagister · 2024-04-02 13:04:39

Hi all,

First time post here, having distro hopped countless times I finally feel like I found the "my distro" - arch of course. It's the first distro that's actually convinced me to ditch Windows completely. I'm slowly getting to grips with arch but I could do with some guidance on one aspect.

Triggered in part by the recent XZ issue, I wanted to look at ways in which I could harden my install e.g. remove unneeded services, configuration issues, unpatched CVEs etc. Nothing drastic just good hygiene.

I ran arch-audit and lynis, working through the suggestions that made the most sense - it's a good way I think to get more familiar with arch and improve my understanding of linux security. I was a little surprised to see arch-audit throw as many outstanding CVEs as it did (replicated below), with some dating back some years. It seems unlikely these have not been dealt with upstream but I was wondering if anyone could tell me if arch-audit is accurate in returning these results? And if they are still genuinely unresolved CVEs why that might be the case. Not a criticism on anyone, just genuinely wanting to know more.

The list is:

grub is affected by multiple issues. (CVE-2022-28737, CVE-2022-28736, CVE-2022-28735, CVE-2022-28734, CVE-2022-28733, CVE-2021-3697, CVE-2021-3696, CVE-2021-3695). High risk!
apr is affected by information disclosure. (CVE-2021-35940). Medium risk!
cpio is affected by arbitrary command execution. (CVE-2021-38185). Medium risk!
giflib is affected by information disclosure. (CVE-2020-23922). Medium risk!
gnuchess is affected by arbitrary code execution. (CVE-2021-30184). Medium risk!
lib32-libsndfile is affected by arbitrary code execution. (CVE-2021-3246). Medium risk!
libgrss is affected by man-in-the-middle. (CVE-2016-20011). Medium risk!
libheif is affected by information disclosure. (CVE-2020-23109). Medium risk!
libtiff is affected by unknown, denial of service. (CVE-2022-48281, CVE-2022-3970, CVE-2022-3627, CVE-2022-3599, CVE-2022-3597, CVE-2022-3570, CVE-2022-34526, CVE-2022-2953, CVE-2022-2869, CVE-2022-2868, CVE-2022-2867, CVE-2022-2521, CVE-2022-2520, CVE-2022-2519, CVE-2022-2058, CVE-2022-2057, CVE-2022-2056, CVE-2022-1623, CVE-2022-1622, CVE-2022-1355, CVE-2022-1354). Medium risk!
linux is affected by multiple issues, insufficient validation. (CVE-2021-43976, CVE-2021-4095, CVE-2021-4028, CVE-2021-3847, CVE-2021-3752, CVE-2021-3669, CVE-2021-31615, CVE-2020-26560, CVE-2020-26559, CVE-2020-26557, CVE-2020-26556, CVE-2020-26555, CVE-2020-35501). Medium risk!
linux-hardened is affected by multiple issues. (CVE-2021-43976, CVE-2021-4095, CVE-2021-4028, CVE-2021-3847, CVE-2021-3752, CVE-2021-3669). Medium risk!
openjpeg2 is affected by arbitrary code execution. (CVE-2021-3575). Medium risk!
openssl is affected by arbitrary command execution. (CVE-2022-2068). Medium risk!
perl is affected by signature forgery, directory traversal. (CVE-2020-16156, CVE-2021-36770). Medium risk!
wget is affected by information disclosure. (CVE-2021-31879). Medium risk!
xdg-utils is affected by information disclosure. (CVE-2020-27748). Medium risk!
nasm is affected by denial of service. (CVE-2020-18974). Low risk!
p7zip is affected by denial of service. (CVE-2021-3465). Low risk!

When I run arch-audit with the -u flag (i.e. upgradable) it returns nothing, suggesting that what can be upgraded has been.

Many thanks in advance for helping me understand this a bit better.

FM.

schard · 2024-04-02 13:15:34

I don't think that arch-audit it overly up-to-date.
On my machine:

~> arch-audit                                                                     2024-04-02T15:07:59
minizip is affected by arbitrary code execution. Critical risk!
apr is affected by information disclosure. Medium risk!
cpio is affected by arbitrary command execution. Medium risk!
evolution is affected by insufficient validation. Medium risk!
giflib is affected by information disclosure. Medium risk!
libgrss is affected by man-in-the-middle. Medium risk!
libheif is affected by information disclosure. Medium risk!
libtiff is affected by unknown, denial of service. Medium risk!
linux is affected by multiple issues, insufficient validation. Medium risk!
openjpeg2 is affected by arbitrary code execution. Medium risk!
openssl is affected by arbitrary command execution. Medium risk!
openvpn is affected by information disclosure. Medium risk!
perl is affected by signature forgery, directory traversal. Medium risk!
wget is affected by information disclosure. Medium risk!
xdg-utils is affected by information disclosure. Medium risk!
~> LANG=C pacman -Qi minizip                                                      2024-04-02T15:12:05
Name            : minizip
Version         : 1:1.3.1-1
Description     : Mini zip and unzip based on zlib
Architecture    : x86_64
URL             : https://www.zlib.net/
Licenses        : Zlib
Groups          : None
Provides        : None
Depends On      : glibc  zlib
Optional Deps   : None
Required By     : chromium  qt5-webengine  qt6-webengine
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 85.87 KiB
Packager        : Levente Polyak <anthraxx@archlinux.org>
Build Date      : Mon Jan 22 20:50:29 2024
Install Date    : Wed Jan 24 08:43:23 2024
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

~>                                                                                2024-04-02T15:12:08

However this issue was fixed with release 1.3.1, but the appropriate AVG has not been updated yet.
At any rate, nothing beats looking into the CVEs yourself. It will probably not hurt security that arch-audit is a bit slow on updates and thus on the conservative side.

Last edited by schard (2024-04-02 13:16:36)

flamemagister · 2024-04-15 06:26:11

Hi @schard, apologies for the late reply - been in the middle of changing jobs, moving etc.

Thanks for the response and based on my read it seems the issue is that arch-audit and the AVG (for some CVEs at least) don't appear updated. Agreed one could go through the individual CVEs but it does take a while. I'm giving some thought on how I can contribute to improve this.

Thanks again and kind regards,

FM.

Arch Linux

#1 2024-04-02 13:04:39

Outstanding CVEs generated by arch-audit

#2 2024-04-02 13:15:34

Re: Outstanding CVEs generated by arch-audit

#3 2024-04-15 06:26:11

Re: Outstanding CVEs generated by arch-audit

Board footer