How To Find Vulnerable Packages In Arch Linux

Arch-audit - Find Vulnerable Packages In Arch Linux

Keeping your OS and all packages up-to-date is always a best practice. Since Arch Linux is a rolling release, the Arch users can able to get the fixes and software updates every few days than other fixed-release distributions. However, sometimes the users can’t be able to update their Arch system due to insufficient Internet data or they just lazy to upgrade the system or they don’t want to use update fearing it might break their system. If you don’t update your Arch Linux often, you need to check it for vulnerabilities from time to time. If there are any high risk vulnerabilities, you could immediately update the system. This is where Arch-audit tool comes in handy. It will help you to find the vulnerable packages in Arch Linux and its derivatives such as Antergos and Manjaro Linux.

Arch-audit is a an utility like pkg-audit based on Arch CVE (Common Vulnerabilities and Exposures) Monitoring Team data. The Arch CVE monitoring team (ACMT) is a group of volunteers to help identify and notify packages with security vulnerabilities in Arch Linux. The main goal of ACMT is to find bugs in all packages and notify the developers if there are any vulnerabilities. In this brief tutorial, we will see how to find vulnerable packages in Arch Linux using Arch-audit utility.

Find Vulnerable Packages In Arch Linux using Arch-audit

The arch-audit is available in the community repository. So, you can install it using pacman as shown below.

sudo pacman -S arch-audit

Once installed, run the following command to find vulnerable packages:

arch-audit

Sample output:

Package binutils is affected by ["CVE-2017-9044", "CVE-2017-9043", "CVE-2017-9042", "CVE-2017-9041", "CVE-2017-9040", "CVE-2017-9039", "CVE-2017-9038", "CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
Package bluez is affected by ["CVE-2017-1000250"]. High risk! Update to 5.46-2!
Package cairo is affected by ["CVE-2017-7475"]. Low risk!
Package chromium is affected by ["CVE-2017-5120", "CVE-2017-5119", "CVE-2017-5118", "CVE-2017-5117", "CVE-2017-5116", "CVE-2017-5115", "CVE-2017-5114", "CVE-2017-5113", "CVE-2017-5112", "CVE-2017-5111"]. Critical risk! Update to 61.0.3163.79-1!
Package curl is affected by ["CVE-2017-1000101", "CVE-2017-1000100", "CVE-2017-1000099"]. Medium risk! Update to 7.55-1!
Package exiv2 is affected by ["CVE-2017-11592", "CVE-2017-11591", "CVE-2017-11553"]. Medium risk!
Package faad2 is affected by ["CVE-2017-9257", "CVE-2017-9256", "CVE-2017-9255", "CVE-2017-9254", "CVE-2017-9253", "CVE-2017-9223", "CVE-2017-9222", "CVE-2017-9221", "CVE-2017-9220", "CVE-2017-9219", "CVE-2017-9218"]. High risk!
Package ffmpeg is affected by ["CVE-2017-14225", "CVE-2017-14223", "CVE-2017-14222", "CVE-2017-14171", "CVE-2017-14170", "CVE-2017-14169", "CVE-2017-14059", "CVE-2017-14058", "CVE-2017-14057", "CVE-2017-14056", "CVE-2017-14055", "CVE-2017-14054"]. Medium risk! Update to 1:3.3.4-1!
Package ffmpeg2.8 is affected by ["CVE-2017-14223", "CVE-2017-14222", "CVE-2017-14225", "CVE-2017-14171", "CVE-2017-14170", "CVE-2017-14169", "CVE-2017-14059", "CVE-2017-14058", "CVE-2017-14057", "CVE-2017-14056", "CVE-2017-14055"]. Medium risk! Update to 2.8.13-1!
Package flashplugin is affected by ["CVE-2017-11282", "CVE-2017-11281", "CVE-2017-3106", "CVE-2017-3085"]. Critical risk! Update to 26.0.0.151-1!
Package glibc is affected by ["CVE-2017-12133", "CVE-2017-12132"]. Critical risk!
Package jasper is affected by ["CVE-2017-9782", "CVE-2017-6852", "CVE-2017-6850", "CVE-2017-5505", "CVE-2017-5504", "CVE-2017-5503"]. High risk!
Package lame is affected by ["CVE-2017-9872", "CVE-2017-9871", "CVE-2017-9870", "CVE-2017-9869", "CVE-2015-9101"]. Medium risk!
Package lib32-expat is affected by ["CVE-2017-9233", "CVE-2016-9063"]. Medium risk! Update to 2.2.2-1!
Package lib32-glibc is affected by ["CVE-2017-12133", "CVE-2017-12132"]. Critical risk!
Package lib32-libgcrypt is affected by ["CVE-2017-0379"]. Medium risk! Update to 1.8.1-1!
Package libffi is affected by ["CVE-2017-1000376"]. High risk!
Package libgcrypt is affected by ["CVE-2017-0379"]. Medium risk! Update to 1.8.1-1!
Package libsoup is affected by ["CVE-2017-2885"]. Critical risk! Update to 2.58.2-1!
Package libvorbis is affected by ["CVE-2017-11735", "CVE-2017-11333"]. Low risk!
Package libzip is affected by ["CVE-2017-12858"]. High risk!
Package linux is affected by ["CVE-2017-9986", "CVE-2017-9985", "CVE-2017-9984", "CVE-2017-1000379", "CVE-2017-1000371", "CVE-2017-1000370", "CVE-2017-1000365", "CVE-2017-1000251"]. High risk! Update to 4.12.13-1!
Package newsbeuter is affected by ["CVE-2017-14500", "CVE-2017-12904", "CVE-2017-12904"]. High risk! Update to 2.9-7!
Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
Package pcre is affected by ["CVE-2017-11164"]. Medium risk!
Package pcre2 is affected by ["CVE-2017-7186"]. Medium risk!
Package podofo is affected by ["CVE-2017-7994", "CVE-2017-7383", "CVE-2017-7382", "CVE-2017-7381", "CVE-2017-7380", "CVE-2017-7379", "CVE-2017-7378", "CVE-2017-6842", "CVE-2017-6841", "CVE-2017-6840"]. High risk!
Package webkit2gtk is affected by ["CVE-2017-7064", "CVE-2017-7061", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7048", "CVE-2017-7046", "CVE-2017-7039", "CVE-2017-7037", "CVE-2017-7034", "CVE-2017-7030", "CVE-2017-7018"]. Critical risk! Update to 2.16.6-1!
Package xorg-server is affected by ["CVE-2017-10972", "CVE-2017-10971"]. High risk! Update to 1.19.3-3!

As you noticed in the above output, there are many packages with low, medium and high risk.

To show only vulnerable package names and their versions, use -q flag as shown below:

$ arch-audit -q
binutils
bluez>=5.46-2
cairo
chromium>=61.0.3163.79-1
curl>=7.55-1
exiv2
faad2
ffmpeg>=1:3.3.4-1
ffmpeg2.8>=2.8.13-1
flashplugin>=26.0.0.151-1
glibc
jasper
lame
lib32-expat>=2.2.2-1
lib32-glibc
lib32-libgcrypt>=1.8.1-1
libffi
libgcrypt>=1.8.1-1
libsoup>=2.58.2-1
libvorbis
libzip
linux>=4.12.13-1
newsbeuter>=2.9-7
openjpeg2
pcre
pcre2
podofo
webkit2gtk>=2.16.6-1
xorg-server>=1.19.3-3

To show only packages that have already been fixed, use -u flag:

$ arch-audit -qu
bluez>=5.46-2
chromium>=61.0.3163.79-1
curl>=7.55-1
ffmpeg>=1:3.3.4-1
ffmpeg2.8>=2.8.13-1
flashplugin>=26.0.0.151-1
lib32-expat>=2.2.2-1
lib32-libgcrypt>=1.8.1-1
libgcrypt>=1.8.1-1
libsoup>=2.58.2-1
linux>=4.12.13-1
newsbeuter>=2.9-7
webkit2gtk>=2.16.6-1
xorg-server>=1.19.3-3

The above listed packages have already been fixed by the developers.

You need to update the highly-risk and critical-risk packages as soon as possible. However, I recommend you to update all of them by simply running the following command:

sudo pacman -Syu

For more details about arch-audit, refer man pages.

man arch-audit

And, that’s all for now folks. Hope this helps. If you find this guide useful, please share them on your social, professional networks and support OSTechNix! More good stuffs to come. Stay tuned!

Cheers!

Resource:

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You may also like...