安全公告详情

NS-SA-2019-0013

2019-07-17 14:54:39

简介

important: libreoffice/ruby security update

严重级别

important

主题

An update for libreoffice/ruby is now available for NewStart CGSL MAIN 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

libreoffice: Rules for auto-correcting common Lithuanian typing errors.
ruby: Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.


Security Fix(es):
libreoffice: A flaw was found in libreoffice before 5.4.5 and before 6.0.1. Arbitrary remote file disclosure may be achieved by the use of the WEBSERVICE formula in a specially crafted ODS file.(CVE-2018-6871)
libreoffice: bugfix
ruby: A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory.(CVE-2017-14064)
ruby: The "lazy_initialize" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands.(CVE-2017-17790)
ruby: It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.(CVE-2017-17405)
ruby: A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter.(CVE-2017-0898)
ruby: It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service.(CVE-2017-14033)
ruby: It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences.(CVE-2017-10784)
ruby: It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outside of the regular directory.(CVE-2017-0901)
ruby: It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary.(CVE-2017-0900)
ruby: A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain.(CVE-2017-0902)
ruby: A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences.(CVE-2017-0899)
ruby: A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.(CVE-2017-0903)
ruby: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F3.

影响组件

  • libreoffice
  • ruby

影响产品

  • CGSL MAIN 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["autocorr-af-5.0.6.2-15.el7_4.noarch.rpm","autocorr-bg-5.0.6.2-15.el7_4.noarch.rpm","autocorr-ca-5.0.6.2-15.el7_4.noarch.rpm","autocorr-cs-5.0.6.2-15.el7_4.noarch.rpm","autocorr-da-5.0.6.2-15.el7_4.noarch.rpm","autocorr-de-5.0.6.2-15.el7_4.noarch.rpm","autocorr-en-5.0.6.2-15.el7_4.noarch.rpm","autocorr-es-5.0.6.2-15.el7_4.noarch.rpm","autocorr-fa-5.0.6.2-15.el7_4.noarch.rpm","autocorr-fi-5.0.6.2-15.el7_4.noarch.rpm","autocorr-fr-5.0.6.2-15.el7_4.noarch.rpm","autocorr-ga-5.0.6.2-15.el7_4.noarch.rpm","autocorr-hr-5.0.6.2-15.el7_4.noarch.rpm","autocorr-hu-5.0.6.2-15.el7_4.noarch.rpm","autocorr-is-5.0.6.2-15.el7_4.noarch.rpm","autocorr-it-5.0.6.2-15.el7_4.noarch.rpm","autocorr-ja-5.0.6.2-15.el7_4.noarch.rpm","autocorr-ko-5.0.6.2-15.el7_4.noarch.rpm","autocorr-lb-5.0.6.2-15.el7_4.noarch.rpm","autocorr-lt-5.0.6.2-15.el7_4.noarch.rpm","autocorr-mn-5.0.6.2-15.el7_4.noarch.rpm","autocorr-nl-5.0.6.2-15.el7_4.noarch.rpm","autocorr-pl-5.0.6.2-15.el7_4.noarch.rpm","autocorr-pt-5.0.6.2-15.el7_4.noarch.rpm","autocorr-ro-5.0.6.2-15.el7_4.noarch.rpm","autocorr-ru-5.0.6.2-15.el7_4.noarch.rpm","autocorr-sk-5.0.6.2-15.el7_4.noarch.rpm","autocorr-sl-5.0.6.2-15.el7_4.noarch.rpm","autocorr-sr-5.0.6.2-15.el7_4.noarch.rpm","autocorr-sv-5.0.6.2-15.el7_4.noarch.rpm","autocorr-tr-5.0.6.2-15.el7_4.noarch.rpm","autocorr-vi-5.0.6.2-15.el7_4.noarch.rpm","autocorr-zh-5.0.6.2-15.el7_4.noarch.rpm","libreoffice-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-base-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-bsh-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-calc-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-core-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-debuginfo-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-draw-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-emailmerge-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-filters-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-gdb-debug-support-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-glade-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-graphicfilter-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-impress-5.0.6.2-15.el7_4.x86_64.rpm","libreofficekit-5.0.6.2-15.el7_4.x86_64.rpm","libreofficekit-devel-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-af-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ar-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-as-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-bg-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-bn-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-br-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ca-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-cs-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-cy-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-da-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-de-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-dz-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-el-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-en-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-es-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-et-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-eu-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-fa-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-fi-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-fr-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ga-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-gl-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-gu-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-he-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-hi-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-hr-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-hu-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-it-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ja-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-kk-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-kn-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ko-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-lt-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-lv-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-mai-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ml-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-mr-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-nb-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-nl-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-nn-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-nr-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-nso-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-or-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-pa-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-pl-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-pt-BR-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-pt-PT-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ro-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ru-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-si-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-sk-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-sl-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-sr-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ss-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-st-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-sv-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ta-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-te-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-th-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-tn-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-tr-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ts-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-uk-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-ve-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-xh-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-zh-Hans-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-zh-Hant-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-langpack-zu-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-librelogo-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-math-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-nlpsolver-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-officebean-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-ogltrans-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-opensymbol-fonts-5.0.6.2-15.el7_4.noarch.rpm","libreoffice-pdfimport-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-postgresql-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-pyuno-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-rhino-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-sdk-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-sdk-doc-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-ure-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-wiki-publisher-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-writer-5.0.6.2-15.el7_4.x86_64.rpm","libreoffice-xsltfilter-5.0.6.2-15.el7_4.x86_64.rpm"],"source":"libreoffice-5.0.6.2-15.el7_4.src.rpm"},{"binary":["ruby-2.0.0.648-33.el7_4.x86_64.rpm","ruby-debuginfo-2.0.0.648-33.el7_4.x86_64.rpm","ruby-devel-2.0.0.648-33.el7_4.x86_64.rpm","ruby-doc-2.0.0.648-33.el7_4.noarch.rpm","rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpm","rubygem-io-console-0.4.2-33.el7_4.x86_64.rpm","rubygem-json-1.7.7-33.el7_4.x86_64.rpm","rubygem-minitest-4.3.2-33.el7_4.noarch.rpm","rubygem-psych-2.0.0-33.el7_4.x86_64.rpm","rubygem-rake-0.9.6-33.el7_4.noarch.rpm","rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm","rubygems-2.0.14.1-33.el7_4.noarch.rpm","rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm","ruby-irb-2.0.0.648-33.el7_4.noarch.rpm","ruby-libs-2.0.0.648-33.el7_4.x86_64.rpm","ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpm"],"source":"ruby-2.0.0.648-33.el7_4.src.rpm"}]}]}

CVE

参考