2020-03-03
ALT-BU-2020-3681-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2019-12-16
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-10773
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Severity: MEDIUM (6.8)
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- https://access.redhat.com/errata/RHSA-2020:0475
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
- https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
- https://access.redhat.com/errata/RHSA-2020:0475
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
- https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
Published: 2020-03-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-15608
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
Severity: MEDIUM (4.3)
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://hackerone.com/reports/703138
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://hackerone.com/reports/703138
Published: 2020-02-24
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-8131
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Severity: MEDIUM (5.1)
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Package plasma5-workspace updated to version 5.18.1-alt7 for branch sisyphus in task 247209.
Closed bugs
Проблема с alt-app-starter при запуске из контекстного меню главного меню
Closed vulnerabilities
Published: 2019-06-06
BDU:2019-02881
Уязвимость функции BZ2_decompress утилиты для сжатия данных bzip2, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (8.6)
Vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity: HIGH (7.2)
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2016-06-30
BDU:2021-01720
Уязвимость функции bzip2recover программного обеспечения для сжатия данных Bzip2, связанная с использованием после освобождения, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.5)
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Severity: MEDIUM (4.3)
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
References:
Published: 2016-06-30
Modified: 2025-06-09
Modified: 2025-06-09
CVE-2016-3189
Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
Severity: MEDIUM (4.3)
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- http://www.openwall.com/lists/oss-security/2016/06/20/1
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91297
- http://www.securitytracker.com/id/1036132
- https://bugzilla.redhat.com/show_bug.cgi?id=1319648
- https://lists.apache.org/thread.html/r19b4a70ac52093115fd71d773a7a4f579599e6275a13cfcf6252c3e3%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r1dc4c9b3bd559301bdb1557245f78b8910146efb1ee534b774c5f6af%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r481cda41fefb03e04c51484ed14421d812e5ce9e0972edff10f37260%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r4ad2ea01354e394b7fa8c78a184b7e1634d51be9bc0e9e4d7e6c9305%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r5f7ac2bd631ccb12ced65b71ff11f94e76d05b22000795e4a7b61203%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r5f80cf3ade5bb73410643e885fe6b7bf9f0222daf3533e42c7ae240c%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r6e3962fc9f6a79851f70cffdec5759065969cec9c6708b964464b301%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/redf17d8ad16140733b25ca402ae825d6dfa9b85f73d9fb3fd0c75d73%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rffebcbeaace56ff1fed7916700d2f414ca1366386fb1293e99b3e31e%40%3Cjira.kafka.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- https://security.gentoo.org/glsa/201708-08
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- http://www.openwall.com/lists/oss-security/2016/06/20/1
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91297
- http://www.securitytracker.com/id/1036132
- https://bugzilla.redhat.com/show_bug.cgi?id=1319648
- https://lists.apache.org/thread.html/r19b4a70ac52093115fd71d773a7a4f579599e6275a13cfcf6252c3e3%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r1dc4c9b3bd559301bdb1557245f78b8910146efb1ee534b774c5f6af%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r481cda41fefb03e04c51484ed14421d812e5ce9e0972edff10f37260%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r4ad2ea01354e394b7fa8c78a184b7e1634d51be9bc0e9e4d7e6c9305%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r5f7ac2bd631ccb12ced65b71ff11f94e76d05b22000795e4a7b61203%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r5f80cf3ade5bb73410643e885fe6b7bf9f0222daf3533e42c7ae240c%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r6e3962fc9f6a79851f70cffdec5759065969cec9c6708b964464b301%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/redf17d8ad16140733b25ca402ae825d6dfa9b85f73d9fb3fd0c75d73%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rffebcbeaace56ff1fed7916700d2f414ca1366386fb1293e99b3e31e%40%3Cjira.kafka.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- https://security.gentoo.org/glsa/201708-08
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html
Published: 2019-06-19
Modified: 2025-06-09
Modified: 2025-06-09
CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Severity: HIGH (7.5)
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://usn.ubuntu.com/4146-1/
- https://usn.ubuntu.com/4146-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://usn.ubuntu.com/4146-1/
- https://usn.ubuntu.com/4146-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html