安全公告详情

NS-SA-2019-0129

2019-07-17 15:03:12

简介

critical: dhcp/openjpeg security update

严重级别

critical

主题

An update for dhcp/openjpeg is now available for NewStart CGSL MAIN 4.05.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

dhcp: DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server. The overall purpose of DHCP is to make it easier to administer a large network. To use DHCP on your network, install a DHCP service (or relay agent), and on clients run a DHCP client daemon. The dhclient package provides the ISC DHCP client daemon.
openjpeg: OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, the new still-image compression standard from the Joint Photographic Experts Group (JPEG).


Security Fix(es):
dhcp: A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Red Hat Enterprise Linux. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.(CVE-2018-1111)
dhcp: bugfix
openjpeg: A vulnerability was found in the patch for CVE-2013-6045 for OpenJPEG. A specially crafted JPEG2000 image, when read by an application using OpenJPEG, could cause heap-based buffer overflows leading to a crash or possible code execution.(CVE-2016-9675)
openjpeg: An integer overflow, leading to a heap buffer overflow, was found in OpenJPEG. An attacker could create a crafted JPEG2000 image that, when loaded by an application using openjpeg, could lead to a crash or, potentially, code execution.(CVE-2016-7163)
openjpeg: An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause an incorrect calculation when allocating memory for code blocks, which could lead to a crash, or potentially, code execution.(CVE-2016-5159)
openjpeg: An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause incorrect calculations when allocating various data structures, which could lead to a crash, or potentially, code execution.(CVE-2016-5158)
openjpeg: An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause an incorrect calculation when allocating precinct data structures, which could lead to a crash, or potentially, code execution.(CVE-2016-5139)
openjpeg: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 4.05.F12.

影响组件

  • dhcp
  • openjpeg

影响产品

  • CGSL MAIN 4.05

更新包

{"fix":[{"product":"CGSL MAIN 4.05","pkgs":[{"binary":["dhclient-4.1.1-61.P1.el6.centos.x86_64.rpm","dhcp-4.1.1-61.P1.el6.centos.x86_64.rpm","dhcp-common-4.1.1-61.P1.el6.centos.x86_64.rpm","dhcp-debuginfo-4.1.1-61.P1.el6.centos.x86_64.rpm","dhcp-devel-4.1.1-61.P1.el6.centos.x86_64.rpm"],"source":"dhcp-4.1.1-61.P1.el6.centos.src.rpm"},{"binary":["openjpeg-1.3-16.el6_8.x86_64.rpm","openjpeg-debuginfo-1.3-16.el6_8.x86_64.rpm","openjpeg-devel-1.3-16.el6_8.x86_64.rpm","openjpeg-libs-1.3-16.el6_8.x86_64.rpm"],"source":"openjpeg-1.3-16.el6_8.src.rpm"}]}]}

CVE

参考