vuln-list-alt/oval/c10f1/ALT-PU-2024-13113/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:202413113",
      "Version": "oval:org.altlinux.errata:def:202413113",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2024-13113: package `orc` update to version 0.4.40-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch c10f1"
            ],
            "Products": [
              "ALT SP Workstation",
              "ALT SP Server"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2024-13113",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2024-13113",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2024-06669",
            "RefURL": "https://bdu.fstec.ru/vul/2024-06669",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2024-40897",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-40897",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades orc to version 0.4.40-alt1. \nSecurity Fix(es):\n\n * BDU:2024-06669: Уязвимость файла orcparse.c библиотеки для компиляции и выполнения программ, которые работают с массивами данных GStreamer ORC, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2024-40897: Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2024-09-26"
          },
          "Updated": {
            "Date": "2024-09-26"
          },
          "BDUs": [
            {
              "ID": "BDU:2024-06669",
              "CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
              "CVSS3": "AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-119",
              "Href": "https://bdu.fstec.ru/vul/2024-06669",
              "Impact": "High",
              "Public": "20240726"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2024-40897",
              "CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-787",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-40897",
              "Impact": "Low",
              "Public": "20240726"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:spworkstation:10",
              "cpe:/o:alt:spserver:10"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:4001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:202413113001",
                "Comment": "liborc is earlier than 0:0.4.40-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:202413113002",
                "Comment": "liborc-devel is earlier than 0:0.4.40-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:202413113003",
                "Comment": "liborc-test is earlier than 0:0.4.40-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:202413113004",
                "Comment": "liborc-test-devel is earlier than 0:0.4.40-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:202413113005",
                "Comment": "orc is earlier than 0:0.4.40-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:202413113006",
                "Comment": "orc-doc is earlier than 0:0.4.40-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}