From 1b512445b0285ab11543251e6ed8bf47a66ba5c0 Mon Sep 17 00:00:00 2001 From: pepelyaevip Date: Thu, 25 Jan 2024 09:02:29 +0000 Subject: [PATCH] ALT Vulnerability --- oval/c10f2/ALT-PU-2024-1166/definitions.json | 131 +++++++++++++++++++ oval/c10f2/ALT-PU-2024-1166/objects.json | 46 +++++++ oval/c10f2/ALT-PU-2024-1166/states.json | 23 ++++ oval/c10f2/ALT-PU-2024-1166/tests.json | 54 ++++++++ oval/c10f2/ALT-PU-2024-1261/definitions.json | 73 +++++++++++ oval/c10f2/ALT-PU-2024-1261/objects.json | 34 +++++ oval/c10f2/ALT-PU-2024-1261/states.json | 23 ++++ oval/c10f2/ALT-PU-2024-1261/tests.json | 30 +++++ 8 files changed, 414 insertions(+) create mode 100644 oval/c10f2/ALT-PU-2024-1166/definitions.json create mode 100644 oval/c10f2/ALT-PU-2024-1166/objects.json create mode 100644 oval/c10f2/ALT-PU-2024-1166/states.json create mode 100644 oval/c10f2/ALT-PU-2024-1166/tests.json create mode 100644 oval/c10f2/ALT-PU-2024-1261/definitions.json create mode 100644 oval/c10f2/ALT-PU-2024-1261/objects.json create mode 100644 oval/c10f2/ALT-PU-2024-1261/states.json create mode 100644 oval/c10f2/ALT-PU-2024-1261/tests.json diff --git a/oval/c10f2/ALT-PU-2024-1166/definitions.json b/oval/c10f2/ALT-PU-2024-1166/definitions.json new file mode 100644 index 0000000000..62ef1c2f14 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1166/definitions.json @@ -0,0 +1,131 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20241166", + "Version": "oval:org.altlinux.errata:def:20241166", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-1166: package `libwebp` update to version 1.3.2-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c10f2" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-1166", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-1166", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2023-02923", + "RefURL": "https://bdu.fstec.ru/vul/2023-02923", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05510", + "RefURL": "https://bdu.fstec.ru/vul/2023-05510", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-1999", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-1999", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-4863", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863", + "Source": "CVE" + } + ], + "Description": "This update upgrades libwebp to version 1.3.2-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02923: Уязвимость функции EncodeAlphaInternal() библиотеки libwebp для кодирования и декодирования изображений в формате WebP браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05510: Уязвимость библиотеки libwebp для кодирования и декодирования изображений в формате WebP, связанная с чтением за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-1999: There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. \n\n\n * CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "High", + "Rights": "Copyright 2023 BaseALT Ltd.", + "Issued": { + "Date": "2024-01-25" + }, + "Updated": { + "Date": "2024-01-25" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:H/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-119, CWE-415", + "Href": "https://bdu.fstec.ru/vul/2023-02923", + "Impact": "High", + "Public": "20230223", + "CveID": "BDU:2023-02923" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-125", + "Href": "https://bdu.fstec.ru/vul/2023-05510", + "Impact": "High", + "Public": "20230911", + "CveID": "BDU:2023-05510" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-415", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-1999", + "Impact": "High", + "Public": "20230620", + "CveID": "CVE-2023-1999" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-4863" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:10", + "cpe:/o:alt:spserver:10" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:5001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20241166001", + "Comment": "libwebp-devel is earlier than 0:1.3.2-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20241166002", + "Comment": "libwebp-tools is earlier than 0:1.3.2-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20241166003", + "Comment": "libwebp7 is earlier than 0:1.3.2-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-1166/objects.json b/oval/c10f2/ALT-PU-2024-1166/objects.json new file mode 100644 index 0000000000..7246da5923 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1166/objects.json @@ -0,0 +1,46 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:5001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20241166001", + "Version": "1", + "comment": "libwebp-devel is installed", + "Name": "libwebp-devel" + }, + { + "ID": "oval:org.altlinux.errata:obj:20241166002", + "Version": "1", + "comment": "libwebp-tools is installed", + "Name": "libwebp-tools" + }, + { + "ID": "oval:org.altlinux.errata:obj:20241166003", + "Version": "1", + "comment": "libwebp7 is installed", + "Name": "libwebp7" + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-1166/states.json b/oval/c10f2/ALT-PU-2024-1166/states.json new file mode 100644 index 0000000000..331ad626d3 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1166/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:5001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20241166001", + "Version": "1", + "Comment": "package EVR is earlier than 0:1.3.2-alt1", + "Arch": {}, + "Evr": { + "Text": "0:1.3.2-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-1166/tests.json b/oval/c10f2/ALT-PU-2024-1166/tests.json new file mode 100644 index 0000000000..7761aa2253 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1166/tests.json @@ -0,0 +1,54 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:5001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c10f2' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:5001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:5001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20241166001", + "Version": "1", + "Check": "all", + "Comment": "libwebp-devel is earlier than 0:1.3.2-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241166001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241166001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20241166002", + "Version": "1", + "Check": "all", + "Comment": "libwebp-tools is earlier than 0:1.3.2-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241166002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241166001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20241166003", + "Version": "1", + "Check": "all", + "Comment": "libwebp7 is earlier than 0:1.3.2-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241166003" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241166001" + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-1261/definitions.json b/oval/c10f2/ALT-PU-2024-1261/definitions.json new file mode 100644 index 0000000000..d1eb7edb76 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1261/definitions.json @@ -0,0 +1,73 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20241261", + "Version": "oval:org.altlinux.errata:def:20241261", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-1261: package `motion` update to version 4.5.1-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c10f2" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-1261", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-1261", + "Source": "ALTPU" + } + ], + "Description": "This update upgrades motion to version 4.5.1-alt1. \nSecurity Fix(es):\n\n * #41020: /etc/motion/motion.conf в spec-файле без noreplace", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "Low", + "Rights": "Copyright 2023 BaseALT Ltd.", + "Issued": { + "Date": "2024-01-25" + }, + "Updated": { + "Date": "2024-01-25" + }, + "bdu": null, + "Bugzilla": [ + { + "Id": "41020", + "Href": "https://bugzilla.altlinux.org/41020", + "Data": "/etc/motion/motion.conf в spec-файле без noreplace" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:10", + "cpe:/o:alt:spserver:10" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:5001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20241261001", + "Comment": "motion is earlier than 0:4.5.1-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-1261/objects.json b/oval/c10f2/ALT-PU-2024-1261/objects.json new file mode 100644 index 0000000000..d805842d72 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1261/objects.json @@ -0,0 +1,34 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:5001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20241261001", + "Version": "1", + "comment": "motion is installed", + "Name": "motion" + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-1261/states.json b/oval/c10f2/ALT-PU-2024-1261/states.json new file mode 100644 index 0000000000..01ffcbc0a2 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1261/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:5001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20241261001", + "Version": "1", + "Comment": "package EVR is earlier than 0:4.5.1-alt1", + "Arch": {}, + "Evr": { + "Text": "0:4.5.1-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-1261/tests.json b/oval/c10f2/ALT-PU-2024-1261/tests.json new file mode 100644 index 0000000000..00344a5c7d --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-1261/tests.json @@ -0,0 +1,30 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:5001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c10f2' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:5001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:5001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20241261001", + "Version": "1", + "Check": "all", + "Comment": "motion is earlier than 0:4.5.1-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241261001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241261001" + } + } + ] +} \ No newline at end of file