安全公告详情

NS-SA-2023-0081

2023-05-30 09:08:34

简介

important: gzip/hivex security update

严重级别

important

主题

An update for gzip/hivex is now available for NewStart CGSL MAIN 6.06.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

gzip: The gzip package contains the popular GNU gzip data compression program. Gzipped files have a .gz extension. Gzip should be installed on your system, because it is a very commonly used data compression program.
hivex: Hive files are the undocumented binary files that Windows uses to store the Windows Registry on disk. Hivex is a library that can read and write to these files. 'hivexsh' is a shell you can use to interactively navigate a hive binary file. 'hivexregedit' (in perl-hivex) lets you export and merge to the textual regedit format. 'hivexml' can be used to convert a hive file to a more useful XML format. In order to get access to the hive files themselves, you can copy them from a Windows machine. They are usually found in %systemroot%\system32\config. For virtual machines we recommend using libguestfs or guestfish to copy out these files. libguestfs also provides a useful high-level tool called 'virt-win-reg' (based on hivex technology) which can be used to query specific registry keys in an existing Windows VM. For OCaml bindings, see 'ocaml-hivex-devel'. For Perl bindings, see 'perl-hivex'. For Python 3 bindings, see 'python3-hivex'. For Ruby bindings, see 'ruby-hivex'.


Security Fix(es):
gzip: An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.(CVE-2022-1271)
gzip: bugfix
hivex: A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2021-3975)
hivex: A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.(CVE-2022-26354)
hivex: The ntfs3g package is susceptible to an input validation attack. When processing a crafted NTFS image there is an improper check. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39251)
hivex: The ntfs3g package is susceptible to an input validation flaw. When processing a crafted NTFS image there is an improper check which leads to an out of bounds read. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39253)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39263)
hivex: A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.(CVE-2021-3748)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39255)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing NTFS attributes, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-33285)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39259)
hivex: An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.(CVE-2021-3930)
hivex: A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.(CVE-2021-4206)
hivex: A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2021-4158)
hivex: An out-of-bounds access flaw was found in the Message Signalled Interrupt (MSI-X) device support of QEMU. This issue occurs while performing MSI-X mmio operations when a guest sent address goes beyond the mmio region. A guest user or process may use this flaw to crash the QEMU process resulting in a denial of service.(CVE-2020-13754)
hivex: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2021-20196)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is system availability.(CVE-2021-39257)
hivex: A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.(CVE-2022-0358)
hivex: The ntfs3g package is susceptible to an input validation flaw. When processing a crafted NTFS image there is an improper check which leads to an out of bounds read. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39252)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS inode pathname, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-35266)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing NTFS attributes, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-33287)
hivex: A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage, use-after-free or other unexpected results. A malicious privileged guest could exploit this issue to crash QEMU or potentially execute arbitrary code within the context of the QEMU process on the host.(CVE-2022-26353)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39261)
hivex: A flaw was found in the hivex library. This flaw allows an attacker to input a specially crafted Windows Registry (hive) file, which would cause hivex to recursively call the _get_children() function, leading to a stack overflow. The highest threat from this vulnerability is to system availability.(CVE-2021-3622)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted unicode input. When processing NTFS unicode input, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-33286)
hivex: A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.(CVE-2021-3716)
hivex: A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.(CVE-2021-4207)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing NTFS attributes from the MFT , proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-35269)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39258)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing NTFS inodes, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-35268)
hivex: A flaw was found in the hivex library. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to crash. The highest threat from this vulnerability is to system availability.(CVE-2021-3504)
hivex: An assert(3) failure flaw was found in the networking helper functions of QEMU. This vulnerability can occur in the eth_get_gso_type() routine if a packet does not have a valid networking L3 protocol (ex. IPv4, IPv6) value. This flaw allows a guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2020-27617)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39256)
hivex: The ntfs3g package is susceptible to an input validation flaw. A crafted NTFS image with invalid values could trigger an improper check. This incorrect check causes an integer overflow which then leads to a heap overflow. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39254)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability(CVE-2021-39260)
hivex: A flaw was found in the copying tool `nbdcopy` of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This could result in the silent creation of a corrupted destination image.(CVE-2022-0485)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing the MFT, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-33289)
hivex: The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-39262)
hivex: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-3416)
hivex: The ntfs3g package is susceptible to a stack overflow. When correcting differences between the MFT and MFTMirror, incorrect checks lead to possible code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-35267)
hivex: A NULL pointer dereference issue was found in the block mirror layer of QEMU. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.(CVE-2021-4145)
hivex: An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2021-20257)
hivex: An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-20221)
hivex: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.06.02B5.

影响组件

  • gzip
  • hivex

影响产品

  • CGSL MAIN 6.06

更新包

{"fix":[{"product":"CGSL MAIN 6.06","pkgs":[{"binary":["gzip-1.9-13.zncgsl6_5.x86_64.rpm"],"source":"gzip-1.9-13.zncgsl6_5.src.rpm"},{"binary":["hivex-1.3.18-23.module+zncgsl6.6.0+10755+cbf458a5.x86_64.rpm","perl-hivex-1.3.18-23.module+zncgsl6.6.0+10755+cbf458a5.x86_64.rpm"],"source":"hivex-1.3.18-23.module+zncgsl6.6.0+10755+cbf458a5.src.rpm"}]}]}

CVE

参考