239 lines
12 KiB
JSON
239 lines
12 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20171855",
|
||
"Version": "oval:org.altlinux.errata:def:20171855",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2017-1855: package `oniguruma` update to version 6.4.0-alt1.S1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c9f2"
|
||
],
|
||
"Products": [
|
||
"ALT SPWorkstation",
|
||
"ALT SPServer"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2017-1855",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2017-1855",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2017-01838",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2017-01838",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2017-01839",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2017-01839",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2017-01840",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2017-01840",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2017-01841",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2017-01841",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2017-01842",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2017-01842",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2017-01843",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2017-01843",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9224",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9224",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9225",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9225",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9226",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9226",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9227",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9227",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9228",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9228",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9229",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9229",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades oniguruma to version 6.4.0-alt1.S1. \nSecurity Fix(es):\n\n * BDU:2017-01838: Уязвимость библиотеки Oniguruma, связанная с использованием неинициализированной переменной и позволяющая вызвать повреждение памяти\n\n * BDU:2017-01839: Уязвимость библиотеки Oniguruma, связанная с использованием неинициализированной переменной и позволяющая вызвать повреждение памяти\n\n * BDU:2017-01840: Уязвимость библиотеки Oniguruma, связанная с использованием неинициализированной переменной и позволяющая нарушителю осуществить чтение за границами буфера в динамической памяти\n\n * BDU:2017-01841: Уязвимость библиотеки Oniguruma, связанная с некорректной обработкой чисел и позволяющая нарушителю вызвать повреждение памяти\n\n * BDU:2017-01842: Уязвимость библиотеки Oniguruma, связанная с записью за границами буфера на стеке и позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2017-01843: Уязвимость библиотеки Oniguruma, позволяющая нарушителю оказать влияние на доступность информации\n\n * CVE-2017-9224: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.\n\n * CVE-2017-9225: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.\n\n * CVE-2017-9226: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.\n\n * CVE-2017-9227: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg-\u003edmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.\n\n * CVE-2017-9228: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.\n\n * CVE-2017-9229: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg-\u003edmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2017-07-12"
|
||
},
|
||
"Updated": {
|
||
"Date": "2017-07-12"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2017-01838",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://bdu.fstec.ru/vul/2017-01838",
|
||
"Impact": "High",
|
||
"Public": "20170523"
|
||
},
|
||
{
|
||
"ID": "BDU:2017-01839",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://bdu.fstec.ru/vul/2017-01839",
|
||
"Impact": "High",
|
||
"Public": "20170524"
|
||
},
|
||
{
|
||
"ID": "BDU:2017-01840",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://bdu.fstec.ru/vul/2017-01840",
|
||
"Impact": "High",
|
||
"Public": "20170522"
|
||
},
|
||
{
|
||
"ID": "BDU:2017-01841",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CWE": "CWE-125, CWE-787",
|
||
"Href": "https://bdu.fstec.ru/vul/2017-01841",
|
||
"Impact": "High",
|
||
"Public": "20170518"
|
||
},
|
||
{
|
||
"ID": "BDU:2017-01842",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CWE": "CWE-125, CWE-787",
|
||
"Href": "https://bdu.fstec.ru/vul/2017-01842",
|
||
"Impact": "High",
|
||
"Public": "20170522"
|
||
},
|
||
{
|
||
"ID": "BDU:2017-01843",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://bdu.fstec.ru/vul/2017-01843",
|
||
"Impact": "High",
|
||
"Public": "20170522"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2017-9224",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9224",
|
||
"Impact": "Critical",
|
||
"Public": "20170524"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9225",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9225",
|
||
"Impact": "Critical",
|
||
"Public": "20170524"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9226",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9226",
|
||
"Impact": "Critical",
|
||
"Public": "20170524"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9227",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9227",
|
||
"Impact": "Critical",
|
||
"Public": "20170524"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9228",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9228",
|
||
"Impact": "Critical",
|
||
"Public": "20170524"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9229",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-476",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9229",
|
||
"Impact": "High",
|
||
"Public": "20170524"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:8.4",
|
||
"cpe:/o:alt:spserver:8.4"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20171855001",
|
||
"Comment": "oniguruma is earlier than 0:6.4.0-alt1.S1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20171855002",
|
||
"Comment": "oniguruma-devel is earlier than 0:6.4.0-alt1.S1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |