NS-SA-2019-0221

简介

important: kernel/ruby security update

严重级别

important

主题

An update for kernel/ruby is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

kernel: This package contains the development files for the tools/ directory from the kernel source.
ruby: Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.


Security Fix(es):
kernel: A flaw was found in the Linux kernel’s block driver implementation (blk_drain_queue() function) where a use-after-free condition could be triggered while draining the outstanding command queue in the systems block device subsystem. An attacker could use this flaw to crash the system or corrupt local memory, which may lead to privilege escalation.(CVE-2018-20856)
kernel: A flaw was found in the mwifiex implementation in the Linux kernel. A system connecting to wireless access point could be manipulated by an attacker with advanced permissions on the access point into localized memory corruption or possibly privilege escalation.(CVE-2019-10126)
kernel: A vulnerability was found in Linux kernel's implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).(CVE-2019-10140)
kernel: A flaw was found in the Linux kernel's Marvell wifi chip driver. A heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c allows remote attackers to cause a denial of service(system crash) or execute arbitrary code.(CVE-2019-3846)
kernel: If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out.(CVE-2019-9500)
kernel: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a WiFi dongle). This can allow firmware event frames from a remote source to be processed and this can result in denial of service (DoS) condition.(CVE-2019-9503)
kernel: A flaw was discovered in the Bluetooth protocol. An attacker within physical proximity to the Bluetooth connection could downgrade the encryption protocol to be trivially brute forced.(CVE-2019-9506)
kernel: bugfix
ruby: A integer underflow was found in the way String#unpack decodes the unpacking format. An attacker, able to control the unpack format, could use this flaw to disclose arbitrary parts of the application's memory.(CVE-2018-8778)
ruby: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.(CVE-2018-1000073)
ruby: It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script.(CVE-2018-8780)
ruby: It was found that the tmpdir and tempfile modules did not sanitize their file name argument. An attacker with control over the name could create temporary files and directories outside of the dedicated directory.(CVE-2018-6914)
ruby: It was found that WEBrick could be forced to use an excessive amount of memory during the processing of HTTP requests, leading to a Denial of Service. An attacker could use this flaw to send huge requests to a WEBrick application, resulting in the server running out of memory.(CVE-2018-8777)
ruby: It was found that WEBrick did not sanitize headers sent back to clients, resulting in a response-splitting vulnerability. An attacker, able to control the server's headers, could force WEBrick into injecting additional headers to a client.(CVE-2017-17742)
ruby: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.(CVE-2018-1000074)
ruby: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.(CVE-2018-1000078)
ruby: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.(CVE-2018-1000079)
ruby: An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.(CVE-2018-16396)
ruby: It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script.(CVE-2018-8779)
ruby: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.(CVE-2018-1000075)
ruby: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.(CVE-2018-1000076)
ruby: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.(CVE-2018-1000077)
ruby: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F19.

影响组件

• kernel
• ruby

影响产品

• CGSL MAIN 5.04
• CGSL CORE 5.04

更新包

CVE

• CVE-2018-20856
• CVE-2019-10126
• CVE-2019-10140
• CVE-2019-3846
• CVE-2019-9500
• CVE-2019-9503
• CVE-2019-9506
• CVE-2018-8778
• CVE-2018-1000073
• CVE-2018-8780
• CVE-2018-6914
• CVE-2018-8777
• CVE-2017-17742
• CVE-2018-1000074
• CVE-2018-1000078
• CVE-2018-1000079
• CVE-2018-16396
• CVE-2018-8779
• CVE-2018-1000075
• CVE-2018-1000076
• CVE-2018-1000077

参考

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20856
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10126
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10140
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3846
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9500
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9503
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9506
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8778
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000073
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8780
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6914
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8777
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17742
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000074
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000078
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000079
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16396
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8779
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000075
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000076
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000077