安全公告详情

NS-SA-2021-0079

2021-03-09 14:30:32

简介

moderate: microcode_ctl/libarchive security update

严重级别

moderate

主题

An update for microcode_ctl/libarchive is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

microcode_ctl: This package provides microcode update files for Intel x86 and x86_64 CPUs. The microcode update is volatile and needs to be uploaded on each system boot i.e. it isn't stored on a CPU permanently; reboot and it reverts back to the old microcode. Package name "microcode_ctl" is historical, as the binary with the same name is no longer used for microcode upload and, as a result, no longer provided.
libarchive: This package provides debug sources for package libarchive. Debug sources are useful when developing applications that use this package or when debugging this package.


Security Fix(es):
microcode_ctl: A flaw was found in the Intel Advanced Vector Extensions (AVX) implementation, where a local authenticated attacker with the ability to execute AVX instructions can gather the AVX register state from previous AVX executions. This vulnerability allows information disclosure of the AVX register state.(CVE-2020-8696)
microcode_ctl: Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-8698)
microcode_ctl: A vulnerability was found in Intel's implementation of RAPL (Running Average Power Limit). An attacker with a local account could query the power management functionality to intelligently infer SGX enclave computation values by measuring power usage in the RAPL subsystem.(CVE-2020-8695)
microcode_ctl: bugfix
libarchive: In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.(CVE-2019-19221)
libarchive: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.50B5.

影响组件

  • microcode_ctl
  • libarchive

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["microcode_ctl-20200609-2.20201112.1.el8_3.x86_64.rpm"],"source":"microcode_ctl-20200609-2.20201112.1.el8_3.src.rpm"},{"binary":["libarchive-debugsource-3.3.2-9.el8.x86_64.rpm","bsdcat-debuginfo-3.3.2-9.el8.x86_64.rpm","bsdcpio-debuginfo-3.3.2-9.el8.x86_64.rpm","bsdtar-3.3.2-9.el8.x86_64.rpm","bsdcpio-3.3.2-9.el8.x86_64.rpm","bsdcat-3.3.2-9.el8.x86_64.rpm","libarchive-3.3.2-9.el8.x86_64.rpm","libarchive-debuginfo-3.3.2-9.el8.x86_64.rpm","libarchive-devel-3.3.2-9.el8.x86_64.rpm","bsdtar-debuginfo-3.3.2-9.el8.x86_64.rpm"],"source":"libarchive-3.3.2-9.el8.src.rpm"}]}]}

CVE

参考