pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/p11/ALT-PU-2024-13230/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

142 lines
6.8 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:202413230",
"Version": "oval:org.altlinux.errata:def:202413230",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-13230: package `snapd` update to version 2.63-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-13230",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-13230",
"Source": "ALTPU"
},
{
"RefID": "BDU:2024-06997",
"RefURL": "https://bdu.fstec.ru/vul/2024-06997",
"Source": "BDU"
},
{
"RefID": "BDU:2024-07012",
"RefURL": "https://bdu.fstec.ru/vul/2024-07012",
"Source": "BDU"
},
{
"RefID": "CVE-2024-1724",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-1724",
"Source": "CVE"
},
{
"RefID": "CVE-2024-29068",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-29068",
"Source": "CVE"
},
{
"RefID": "CVE-2024-29069",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-29069",
"Source": "CVE"
}
],
"Description": "This update upgrades snapd to version 2.63-alt1. \nSecurity Fix(es):\n\n * BDU:2024-06997: Уязвимость утилиты для управления самодостаточными пакетами snapd, связанная с неправильным разрешением ссылки перед доступом к файлу, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2024-07012: Уязвимость утилиты для управления самодостаточными пакетами snapd, связанная с неправильной проверкой входных данных, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2024-1724: In snapd versions prior to 2.62, when using AppArmor for enforcement of \nsandbox permissions, snapd failed to restrict writes to the $HOME/bin\npath. In Ubuntu, when this path exists, it is automatically added to\nthe users PATH. An attacker who could convince a user to install a\nmalicious snap which used the 'home' plug could use this vulnerability\nto install arbitrary scripts into the users PATH which may then be run\nby the user outside of the expected snap sandbox and hence allow them\nto escape confinement.\n\n * CVE-2024-29068: In snapd versions prior to 2.62, snapd failed to properly check the file\ntype when extracting a snap. The snap format is a squashfs file-system\nimage and so can contain files that are non-regular files (such as pipes \nor sockets etc). Various file entries within the snap squashfs image\n(such as icons etc) are directly read by snapd when it is extracted. An \nattacker who could convince a user to install a malicious snap which\ncontained non-regular files at these paths could then cause snapd to block\nindefinitely trying to read from such files and cause a denial of service.\n\n * CVE-2024-29069: In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-10-22"
},
"Updated": {
"Date": "2024-10-22"
},
"BDUs": [
{
"ID": "BDU:2024-06997",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-59",
"Href": "https://bdu.fstec.ru/vul/2024-06997",
"Impact": "High",
"Public": "20240725"
},
{
"ID": "BDU:2024-07012",
"CVSS": "AV:L/AC:L/Au:S/C:C/I:N/A:C",
"CVSS3": "AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"CWE": "CWE-20",
"Href": "https://bdu.fstec.ru/vul/2024-07012",
"Impact": "Low",
"Public": "20240725"
}
],
"CVEs": [
{
"ID": "CVE-2024-1724",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"CWE": "CWE-732",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-1724",
"Impact": "High",
"Public": "20240725"
},
{
"ID": "CVE-2024-29068",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-29068",
"Impact": "Low",
"Public": "20240725"
},
{
"ID": "CVE-2024-29069",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-59",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-29069",
"Impact": "High",
"Public": "20240725"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:202413230001",
"Comment": "snap-confine is earlier than 0:2.63-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:202413230002",
"Comment": "snapd is earlier than 0:2.63-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink