安全公告详情

NS-SA-2019-0044

2019-07-17 14:56:29

简介

important: kernel/libgxps security update

严重级别

important

主题

An update for kernel/libgxps is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

kernel: The python-perf package contains a module that permits applications written in the Python programming language to use the interface to manipulate perf events.
libgxps: libgxps is a GObject based library for handling and rendering XPS documents.


Security Fix(es):
kernel: A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in a fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram offset would cause a memcpy() past the datagram buffer, which would cause a system panic or possible arbitrary code execution. The flaw requires [firewire-net] module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network.(CVE-2016-8633)
kernel: A bug in the 32-bit compatibility layer of the ioctl handling code of the v4l2 video driver in the Linux kernel has been found. A memory protection mechanism ensuring that user-provided buffers always point to a userspace memory were disabled, allowing destination address to be in a kernel space. This flaw could be exploited by an attacker to overwrite a kernel memory from an unprivileged userspace process, leading to privilege escalation.(CVE-2017-13166)
kernel: The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function.(CVE-2017-18344)
kernel: A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. This vulnerability could allow an attacker to their escalate privileges.(CVE-2017-8824)
kernel: A flaw was found in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.(CVE-2018-1087)
kernel: It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.(CVE-2018-10902)
kernel: A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.(CVE-2018-13405)
kernel: Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.(CVE-2018-3620)
kernel: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.(CVE-2018-3639)
kernel: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks.(CVE-2018-3693)
kernel: A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.(CVE-2018-5391)
kernel: A an integer overflow vulnerability was discovered in the Linux kernel, from version 3.4 through 4.15, in the drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() function. An attacker with access to the udldrmfb driver could exploit this to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.(CVE-2018-8781)
kernel: bugfix
libgxps: There is a heap-based buffer over-read in the function ft_font_face_hash of gxps-fonts.c in libgxps through 0.3.0. A crafted input will lead to a remote denial of service attack.(CVE-2018-10733)
libgxps: There is a stack-based buffer over-read in calling GLib in the function gxps_images_guess_content_type of gxps-images.c in libgxps through 0.3.0 because it does not reject negative return values from a g_input_stream_read call. A crafted input will lead to a remote denial of service attack.(CVE-2018-10767)
libgxps: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F8.

影响组件

  • kernel
  • libgxps

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["python-perf-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","perf-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.noarch.rpm","kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm","kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.noarch.rpm","kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.x86_64.rpm"],"source":"kernel-3.10.0-693.21.1.el7.cgslv5_4.8.258.ge72aad5.src.rpm"},{"binary":["libgxps-0.3.0-4.el7.x86_64.rpm","libgxps-debuginfo-0.3.0-4.el7.x86_64.rpm","libgxps-devel-0.3.0-4.el7.x86_64.rpm","libgxps-tools-0.3.0-4.el7.x86_64.rpm"],"source":"libgxps-0.3.0-4.el7.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.noarch.rpm","kernel-core-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","perf-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","python-perf-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.noarch.rpm","kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm","kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.x86_64.rpm"],"source":"kernel-3.10.0-693.21.1.el7.cgslv5_4.8.261.gad51a3d.lite.src.rpm"},{"binary":["libgxps-0.3.0-4.el7.x86_64.rpm","libgxps-debuginfo-0.3.0-4.el7.x86_64.rpm","libgxps-devel-0.3.0-4.el7.x86_64.rpm","libgxps-tools-0.3.0-4.el7.x86_64.rpm"],"source":"libgxps-0.3.0-4.el7.src.rpm"}]}]}

CVE

参考