pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ALT Vulnerability

Browse Source
This commit is contained in:
Иван Пепеляев 2024-04-24 15:02:06 +00:00
parent a7e8159380
commit 6beaee1a47
16 changed files with 1051 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
oval/c10f1/ALT-PU-2024-7021/definitions.json Normal file
View File

@ -0,0 +1,155 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20247021",
"Version": "oval:org.altlinux.errata:def:20247021",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-7021: package `xorg-xwayland` update to version 23.1.1-alt5",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f1"
],
"Products": [
"ALT SP Workstation",
"ALT SP Server"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-7021",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-7021",
"Source": "ALTPU"
},
{
"RefID": "BDU:2024-03104",
"RefURL": "https://bdu.fstec.ru/vul/2024-03104",
"Source": "BDU"
},
{
"RefID": "BDU:2024-03130",
"RefURL": "https://bdu.fstec.ru/vul/2024-03130",
"Source": "BDU"
},
{
"RefID": "BDU:2024-03132",
"RefURL": "https://bdu.fstec.ru/vul/2024-03132",
"Source": "BDU"
},
{
"RefID": "CVE-2024-31080",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-31080",
"Source": "CVE"
},
{
"RefID": "CVE-2024-31081",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
"Source": "CVE"
},
{
"RefID": "CVE-2024-31083",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-31083",
"Source": "CVE"
}
],
"Description": "This update upgrades xorg-xwayland to version 23.1.1-alt5. \nSecurity Fix(es):\n\n * BDU:2024-03104: Уязвимость функции ProcXIPassiveGrabDevice() сервера X Window System Xorg-server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2024-03130: Уязвимость функции ProcRenderAddGlyphs() сервера X Window System Xorg-server, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-03132: Уязвимость функции ProcXIGetSelectedEvents() сервера X Window System Xorg-server, позволяющая нарушитель получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2024-31080: A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.\n\n * CVE-2024-31081: A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.\n\n * CVE-2024-31083: A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-04-24"
},
"Updated": {
"Date": "2024-04-24"
},
"BDUs": [
{
"ID": "BDU:2024-03104",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:P/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"CWE": "CWE-126",
"Href": "https://bdu.fstec.ru/vul/2024-03104",
"Impact": "High",
"Public": "20240404"
},
{
"ID": "BDU:2024-03130",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-416",
"Href": "https://bdu.fstec.ru/vul/2024-03130",
"Impact": "High",
"Public": "20240405"
},
{
"ID": "BDU:2024-03132",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:P/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"CWE": "CWE-126",
"Href": "https://bdu.fstec.ru/vul/2024-03132",
"Impact": "High",
"Public": "20240404"
}
],
"CVEs": [
{
"ID": "CVE-2024-31080",
"CWE": "CWE-126",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-31080",
"Impact": "None",
"Public": "20240404"
},
{
"ID": "CVE-2024-31081",
"CWE": "CWE-126",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
"Impact": "None",
"Public": "20240404"
},
{
"ID": "CVE-2024-31083",
"CWE": "CWE-416",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-31083",
"Impact": "None",
"Public": "20240405"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:4001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20247021001",
"Comment": "xorg-xwayland is earlier than 2:23.1.1-alt5"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20247021002",
"Comment": "xorg-xwayland-devel is earlier than 2:23.1.1-alt5"
}
]
}
]
}
}
]
}

40
oval/c10f1/ALT-PU-2024-7021/objects.json Normal file
View File

@ -0,0 +1,40 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:4001",
"Version": "1",
"Comment": "Evaluate `/etc/os-release` file content",
"Path": {
"Datatype": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RPMInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20247021001",
"Version": "1",
"Comment": "xorg-xwayland is installed",
"Name": "xorg-xwayland"
},
{
"ID": "oval:org.altlinux.errata:obj:20247021002",
"Version": "1",
"Comment": "xorg-xwayland-devel is installed",
"Name": "xorg-xwayland-devel"
}
]
}

23
oval/c10f1/ALT-PU-2024-7021/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:4001",
"Version": "1",
"Text": {}
}
],
"RPMInfoStates": [
{
"ID": "oval:org.altlinux.errata:ste:20247021001",
"Version": "1",
"Comment": "package EVR is earlier than 2:23.1.1-alt5",
"Arch": {},
"EVR": {
"Text": "2:23.1.1-alt5",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

42
oval/c10f1/ALT-PU-2024-7021/tests.json Normal file
View File

@ -0,0 +1,42 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:4001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c10f1' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:4001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:4001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20247021001",
"Version": "1",
"Check": "all",
"Comment": "xorg-xwayland is earlier than 2:23.1.1-alt5",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247021001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247021001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20247021002",
"Version": "1",
"Check": "all",
"Comment": "xorg-xwayland-devel is earlier than 2:23.1.1-alt5",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247021002"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247021001"
}
}
]
}

200
oval/c10f1/ALT-PU-2024-7023/definitions.json Normal file
View File

@ -0,0 +1,200 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20247023",
"Version": "oval:org.altlinux.errata:def:20247023",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-7023: package `xorg-server` update to version 1.20.14-alt12",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f1"
],
"Products": [
"ALT SP Workstation",
"ALT SP Server"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-7023",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-7023",
"Source": "ALTPU"
},
{
"RefID": "BDU:2024-03104",
"RefURL": "https://bdu.fstec.ru/vul/2024-03104",
"Source": "BDU"
},
{
"RefID": "BDU:2024-03109",
"RefURL": "https://bdu.fstec.ru/vul/2024-03109",
"Source": "BDU"
},
{
"RefID": "BDU:2024-03130",
"RefURL": "https://bdu.fstec.ru/vul/2024-03130",
"Source": "BDU"
},
{
"RefID": "BDU:2024-03132",
"RefURL": "https://bdu.fstec.ru/vul/2024-03132",
"Source": "BDU"
},
{
"RefID": "CVE-2024-31080",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-31080",
"Source": "CVE"
},
{
"RefID": "CVE-2024-31081",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
"Source": "CVE"
},
{
"RefID": "CVE-2024-31082",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-31082",
"Source": "CVE"
},
{
"RefID": "CVE-2024-31083",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-31083",
"Source": "CVE"
}
],
"Description": "This update upgrades xorg-server to version 1.20.14-alt12. \nSecurity Fix(es):\n\n * BDU:2024-03104: Уязвимость функции ProcXIPassiveGrabDevice() сервера X Window System Xorg-server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2024-03109: Уязвимость функции ProcAppleDRICreatePixmap() сервера X Window System Xorg-server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2024-03130: Уязвимость функции ProcRenderAddGlyphs() сервера X Window System Xorg-server, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-03132: Уязвимость функции ProcXIGetSelectedEvents() сервера X Window System Xorg-server, позволяющая нарушитель получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2024-31080: A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.\n\n * CVE-2024-31081: A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.\n\n * CVE-2024-31082: A heap-based buffer over-read vulnerability was found in the X.org server's ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.\n\n * CVE-2024-31083: A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-04-24"
},
"Updated": {
"Date": "2024-04-24"
},
"BDUs": [
{
"ID": "BDU:2024-03104",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:P/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"CWE": "CWE-126",
"Href": "https://bdu.fstec.ru/vul/2024-03104",
"Impact": "High",
"Public": "20240404"
},
{
"ID": "BDU:2024-03109",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:P/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"CWE": "CWE-126",
"Href": "https://bdu.fstec.ru/vul/2024-03109",
"Impact": "High",
"Public": "20240404"
},
{
"ID": "BDU:2024-03130",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-416",
"Href": "https://bdu.fstec.ru/vul/2024-03130",
"Impact": "High",
"Public": "20240405"
},
{
"ID": "BDU:2024-03132",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:P/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"CWE": "CWE-126",
"Href": "https://bdu.fstec.ru/vul/2024-03132",
"Impact": "High",
"Public": "20240404"
}
],
"CVEs": [
{
"ID": "CVE-2024-31080",
"CWE": "CWE-126",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-31080",
"Impact": "None",
"Public": "20240404"
},
{
"ID": "CVE-2024-31081",
"CWE": "CWE-126",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
"Impact": "None",
"Public": "20240404"
},
{
"ID": "CVE-2024-31082",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-31082",
"Impact": "None",
"Public": "20240404"
},
{
"ID": "CVE-2024-31083",
"CWE": "CWE-416",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-31083",
"Impact": "None",
"Public": "20240405"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:4001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20247023001",
"Comment": "xorg-sdk is earlier than 2:1.20.14-alt12"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20247023002",
"Comment": "xorg-server is earlier than 2:1.20.14-alt12"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20247023003",
"Comment": "xorg-server-common is earlier than 2:1.20.14-alt12"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20247023004",
"Comment": "xorg-xdmx is earlier than 2:1.20.14-alt12"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20247023005",
"Comment": "xorg-xephyr is earlier than 2:1.20.14-alt12"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20247023006",
"Comment": "xorg-xnest is earlier than 2:1.20.14-alt12"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20247023007",
"Comment": "xorg-xvfb is earlier than 2:1.20.14-alt12"
}
]
}
]
}
}
]
}

70
oval/c10f1/ALT-PU-2024-7023/objects.json Normal file
View File

@ -0,0 +1,70 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:4001",
"Version": "1",
"Comment": "Evaluate `/etc/os-release` file content",
"Path": {
"Datatype": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RPMInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20247023001",
"Version": "1",
"Comment": "xorg-sdk is installed",
"Name": "xorg-sdk"
},
{
"ID": "oval:org.altlinux.errata:obj:20247023002",
"Version": "1",
"Comment": "xorg-server is installed",
"Name": "xorg-server"
},
{
"ID": "oval:org.altlinux.errata:obj:20247023003",
"Version": "1",
"Comment": "xorg-server-common is installed",
"Name": "xorg-server-common"
},
{
"ID": "oval:org.altlinux.errata:obj:20247023004",
"Version": "1",
"Comment": "xorg-xdmx is installed",
"Name": "xorg-xdmx"
},
{
"ID": "oval:org.altlinux.errata:obj:20247023005",
"Version": "1",
"Comment": "xorg-xephyr is installed",
"Name": "xorg-xephyr"
},
{
"ID": "oval:org.altlinux.errata:obj:20247023006",
"Version": "1",
"Comment": "xorg-xnest is installed",
"Name": "xorg-xnest"
},
{
"ID": "oval:org.altlinux.errata:obj:20247023007",
"Version": "1",
"Comment": "xorg-xvfb is installed",
"Name": "xorg-xvfb"
}
]
}

23
oval/c10f1/ALT-PU-2024-7023/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:4001",
"Version": "1",
"Text": {}
}
],
"RPMInfoStates": [
{
"ID": "oval:org.altlinux.errata:ste:20247023001",
"Version": "1",
"Comment": "package EVR is earlier than 2:1.20.14-alt12",
"Arch": {},
"EVR": {
"Text": "2:1.20.14-alt12",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

102
oval/c10f1/ALT-PU-2024-7023/tests.json Normal file
View File

@ -0,0 +1,102 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:4001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c10f1' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:4001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:4001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20247023001",
"Version": "1",
"Check": "all",
"Comment": "xorg-sdk is earlier than 2:1.20.14-alt12",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247023001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247023001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20247023002",
"Version": "1",
"Check": "all",
"Comment": "xorg-server is earlier than 2:1.20.14-alt12",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247023002"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247023001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20247023003",
"Version": "1",
"Check": "all",
"Comment": "xorg-server-common is earlier than 2:1.20.14-alt12",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247023003"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247023001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20247023004",
"Version": "1",
"Check": "all",
"Comment": "xorg-xdmx is earlier than 2:1.20.14-alt12",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247023004"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247023001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20247023005",
"Version": "1",
"Check": "all",
"Comment": "xorg-xephyr is earlier than 2:1.20.14-alt12",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247023005"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247023001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20247023006",
"Version": "1",
"Check": "all",
"Comment": "xorg-xnest is earlier than 2:1.20.14-alt12",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247023006"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247023001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20247023007",
"Version": "1",
"Check": "all",
"Comment": "xorg-xvfb is earlier than 2:1.20.14-alt12",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247023007"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247023001"
}
}
]
}

109
oval/c10f2/ALT-PU-2024-7016/definitions.json Normal file
View File

@ -0,0 +1,109 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20247016",
"Version": "oval:org.altlinux.errata:def:20247016",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-7016: package `ctags` update to version 5.8-alt6",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f2"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-7016",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-7016",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-07200",
"RefURL": "https://bdu.fstec.ru/vul/2023-07200",
"Source": "BDU"
},
{
"RefID": "CVE-2014-7204",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-7204",
"Source": "CVE"
},
{
"RefID": "CVE-2022-4515",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-4515",
"Source": "CVE"
}
],
"Description": "This update upgrades ctags to version 5.8-alt6. \nSecurity Fix(es):\n\n * BDU:2023-07200: Уязвимость функции externalSortTags (sort.c) утилиты создания индексов файлов для исходного кода программы Exuberant Ctags, позволяющая нарушителю выполнить произвольные команды\n\n * CVE-2014-7204: jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a denial of service (infinite loop and CPU and disk consumption) via a crafted JavaScript file.\n\n * CVE-2022-4515: A flaw was found in Exuberant Ctags in the way it handles the \"-o\" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-04-24"
},
"Updated": {
"Date": "2024-04-24"
},
"BDUs": [
{
"ID": "BDU:2023-07200",
"CVSS": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-78",
"Href": "https://bdu.fstec.ru/vul/2023-07200",
"Impact": "High",
"Public": "20221219"
}
],
"CVEs": [
{
"ID": "CVE-2014-7204",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CWE": "CWE-399",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-7204",
"Impact": "Low",
"Public": "20141007"
},
{
"ID": "CVE-2022-4515",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-78",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-4515",
"Impact": "High",
"Public": "20221220"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:5001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20247016001",
"Comment": "ctags is earlier than 0:5.8-alt6"
}
]
}
]
}
}
]
}

34
oval/c10f2/ALT-PU-2024-7016/objects.json Normal file
View File

@ -0,0 +1,34 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:5001",
"Version": "1",
"Comment": "Evaluate `/etc/os-release` file content",
"Path": {
"Datatype": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RPMInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20247016001",
"Version": "1",
"Comment": "ctags is installed",
"Name": "ctags"
}
]
}

23
oval/c10f2/ALT-PU-2024-7016/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:5001",
"Version": "1",
"Text": {}
}
],
"RPMInfoStates": [
{
"ID": "oval:org.altlinux.errata:ste:20247016001",
"Version": "1",
"Comment": "package EVR is earlier than 0:5.8-alt6",
"Arch": {},
"EVR": {
"Text": "0:5.8-alt6",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

30
oval/c10f2/ALT-PU-2024-7016/tests.json Normal file
View File

@ -0,0 +1,30 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:5001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c10f2' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:5001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:5001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20247016001",
"Version": "1",
"Check": "all",
"Comment": "ctags is earlier than 0:5.8-alt6",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247016001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247016001"
}
}
]
}

113
oval/c9f2/ALT-PU-2024-7014/definitions.json Normal file
View File

@ -0,0 +1,113 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20247014",
"Version": "oval:org.altlinux.errata:def:20247014",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-7014: package `ctags` update to version 5.8-alt6",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-7014",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-7014",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-07200",
"RefURL": "https://bdu.fstec.ru/vul/2023-07200",
"Source": "BDU"
},
{
"RefID": "CVE-2014-7204",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-7204",
"Source": "CVE"
},
{
"RefID": "CVE-2022-4515",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-4515",
"Source": "CVE"
}
],
"Description": "This update upgrades ctags to version 5.8-alt6. \nSecurity Fix(es):\n\n * BDU:2023-07200: Уязвимость функции externalSortTags (sort.c) утилиты создания индексов файлов для исходного кода программы Exuberant Ctags, позволяющая нарушителю выполнить произвольные команды\n\n * CVE-2014-7204: jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a denial of service (infinite loop and CPU and disk consumption) via a crafted JavaScript file.\n\n * CVE-2022-4515: A flaw was found in Exuberant Ctags in the way it handles the \"-o\" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-04-24"
},
"Updated": {
"Date": "2024-04-24"
},
"BDUs": [
{
"ID": "BDU:2023-07200",
"CVSS": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-78",
"Href": "https://bdu.fstec.ru/vul/2023-07200",
"Impact": "High",
"Public": "20221219"
}
],
"CVEs": [
{
"ID": "CVE-2014-7204",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CWE": "CWE-399",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-7204",
"Impact": "Low",
"Public": "20141007"
},
{
"ID": "CVE-2022-4515",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-78",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-4515",
"Impact": "High",
"Public": "20221220"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20247014001",
"Comment": "ctags is earlier than 0:5.8-alt6"
}
]
}
]
}
}
]
}

34
oval/c9f2/ALT-PU-2024-7014/objects.json Normal file
View File

@ -0,0 +1,34 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:3001",
"Version": "1",
"Comment": "Evaluate `/etc/os-release` file content",
"Path": {
"Datatype": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d\\.\\d)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RPMInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20247014001",
"Version": "1",
"Comment": "ctags is installed",
"Name": "ctags"
}
]
}

23
oval/c9f2/ALT-PU-2024-7014/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:3001",
"Version": "1",
"Text": {}
}
],
"RPMInfoStates": [
{
"ID": "oval:org.altlinux.errata:ste:20247014001",
"Version": "1",
"Comment": "package EVR is earlier than 0:5.8-alt6",
"Arch": {},
"EVR": {
"Text": "0:5.8-alt6",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

30
oval/c9f2/ALT-PU-2024-7014/tests.json Normal file
View File

@ -0,0 +1,30 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:3001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c9f2' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:3001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:3001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20247014001",
"Version": "1",
"Check": "all",
"Comment": "ctags is earlier than 0:5.8-alt6",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20247014001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20247014001"
}
}
]
}