安全公告详情

NS-SA-2021-0170

2021-09-24 11:21:20

简介

important: unoconv/librepo security update

严重级别

important

主题

An update for unoconv/librepo is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

unoconv: unoconv converts between any document format that LibreOffice understands. It uses LibreOffice's UNO bindings for non-interactive conversion of documents. Supported document formats include Open Document Format (.odf), MS Word (.doc), MS Office Open/MS OOXML (.xml), Portable Document Format (.pdf), HTML, XHTML, RTF, Docbook (.xml), and more.
librepo: A library providing C and Python (libcURL like) API to downloading repository metadata.


Security Fix(es):
unoconv: The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.(CVE-2019-17400)
unoconv: bugfix
librepo: A flaw was found in librepo. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.(CVE-2020-14352)
librepo: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F11B5.

影响组件

  • unoconv
  • librepo

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["unoconv-0.6-8.el7.noarch.rpm"],"source":"unoconv-0.6-8.el7.src.rpm"},{"binary":["librepo-1.8.1-8.el7_9.x86_64.rpm","librepo-devel-1.8.1-8.el7_9.x86_64.rpm","python-librepo-1.8.1-8.el7_9.x86_64.rpm"],"source":"librepo-1.8.1-8.el7_9.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["unoconv-0.6-8.el7.noarch.rpm"],"source":"unoconv-0.6-8.el7.src.rpm"},{"binary":["librepo-1.8.1-8.el7_9.x86_64.rpm","librepo-devel-1.8.1-8.el7_9.x86_64.rpm","python-librepo-1.8.1-8.el7_9.x86_64.rpm"],"source":"librepo-1.8.1-8.el7_9.src.rpm"}]}]}

CVE

参考