安全公告详情

NS-SA-2021-0060

2021-03-09 14:30:31

简介

moderate: libsolv/libvpx security update

严重级别

moderate

主题

An update for libsolv/libvpx is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

libsolv: This package provides debug information for package libsolv-demo. Debug information is useful when developing applications that use this package or when debugging this package.
libvpx: Development libraries and headers for developing software against libvpx.


Security Fix(es):
libsolv: An out-of-bounds read was discovered in Libsolv when the last schema has a length that is less than the length of the input schema. A remote attacker may abuse this flaw to crash an application that uses Libsolv.(CVE-2019-20387)
libsolv: bugfix
libvpx: In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-12267548(CVE-2019-9232)
libvpx: In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-8047935(CVE-2019-9433)
libvpx: In libvpx, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132783254(CVE-2019-9371)
libvpx: In ParseContentEncodingEntry of mkvparser.cc, there is a possible double free due to a missing reset of a freed pointer. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-127702368.(CVE-2019-2126)
libvpx: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.50B5.

影响组件

  • libsolv
  • libvpx

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["libsolv-demo-debuginfo-0.7.11-1.el8.x86_64.rpm","perl-solv-0.7.11-1.el8.x86_64.rpm","ruby-solv-debuginfo-0.7.11-1.el8.x86_64.rpm","libsolv-0.7.11-1.el8.x86_64.rpm","python3-solv-0.7.11-1.el8.x86_64.rpm","libsolv-devel-0.7.11-1.el8.x86_64.rpm","libsolv-tools-0.7.11-1.el8.x86_64.rpm","libsolv-debugsource-0.7.11-1.el8.x86_64.rpm","python3-solv-debuginfo-0.7.11-1.el8.x86_64.rpm","libsolv-debuginfo-0.7.11-1.el8.x86_64.rpm","libsolv-demo-0.7.11-1.el8.x86_64.rpm","ruby-solv-0.7.11-1.el8.x86_64.rpm","libsolv-tools-debuginfo-0.7.11-1.el8.x86_64.rpm","perl-solv-debuginfo-0.7.11-1.el8.x86_64.rpm"],"source":"libsolv-0.7.11-1.el8.src.rpm"},{"binary":["libvpx-devel-1.7.0-8.el8.x86_64.rpm","libvpx-utils-1.7.0-8.el8.x86_64.rpm","libvpx-debugsource-1.7.0-8.el8.x86_64.rpm","libvpx-utils-debuginfo-1.7.0-8.el8.x86_64.rpm","libvpx-debuginfo-1.7.0-8.el8.x86_64.rpm","libvpx-1.7.0-8.el8.x86_64.rpm"],"source":"libvpx-1.7.0-8.el8.src.rpm"}]}]}

CVE

参考