安全公告详情

NS-SA-2019-0060

2019-07-17 14:58:09

简介

moderate: openssh/binutils security update

严重级别

moderate

主题

An update for openssh/binutils is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

openssh: This package contains a PAM module which can be used to authenticate users using ssh keys stored in a ssh-agent. Through the use of the forwarding of ssh-agent connection it also allows to authenticate with remote ssh-agent instance. The module is most useful for su and sudo service stacks.
binutils: Binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU linker), nm (for listing symbols from object files), objcopy (for copying and translating object files), objdump (for displaying information from object files), ranlib (for generating an index for the contents of an archive), readelf (for displaying detailed information about binary files), size (for listing the section sizes of an object or archive file), strings (for listing printable strings from files), strip (for discarding symbols), and addr2line (for converting addresses to file and line).


Security Fix(es):
openssh: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.(CVE-2018-20685)
openssh: An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.(CVE-2019-6109)
openssh: In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.(CVE-2019-6110)
openssh: An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).(CVE-2019-6111)
openssh: bugfix
binutils: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.(CVE-2018-13033)
binutils: The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.(CVE-2018-10534)
binutils: The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a "SECTION" type that has a "0" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.(CVE-2018-10535)
binutils: process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.(CVE-2018-10372)
binutils: concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.(CVE-2018-10373)
binutils: The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.(CVE-2018-7643)
binutils: An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.(CVE-2018-7568)
binutils: An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.(CVE-2018-7569)
binutils: The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.(CVE-2018-7642)
binutils: The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.(CVE-2018-8945)
binutils: In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.(CVE-2018-7208)
binutils: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F12.

影响组件

  • openssh
  • binutils

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["openssh-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-askpass-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-cavs-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-clients-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-debuginfo-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-keycat-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-ldap-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-server-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.7.ga049176.x86_64.rpm"],"source":"openssh-7.9p1-1.el7.cgslv5.0.7.ga049176.src.rpm"},{"binary":["binutils-2.27-34.base.el7.x86_64.rpm","binutils-debuginfo-2.27-34.base.el7.x86_64.rpm","binutils-devel-2.27-34.base.el7.x86_64.rpm"],"source":"binutils-2.27-34.base.el7.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["openssh-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-askpass-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-cavs-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-clients-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-debuginfo-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-keycat-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-ldap-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","openssh-server-7.9p1-1.el7.cgslv5.0.7.ga049176.x86_64.rpm","pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.7.ga049176.x86_64.rpm"],"source":"openssh-7.9p1-1.el7.cgslv5.0.7.ga049176.src.rpm"},{"binary":["binutils-2.27-34.base.el7.x86_64.rpm","binutils-debuginfo-2.27-34.base.el7.x86_64.rpm","binutils-devel-2.27-34.base.el7.x86_64.rpm"],"source":"binutils-2.27-34.base.el7.src.rpm"}]}]}

CVE

参考