安全公告详情

NS-SA-2023-0084

2023-05-30 09:08:34

简介

important: zlib/ruby security update

严重级别

important

主题

An update for zlib/ruby is now available for NewStart CGSL MAIN 6.06.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

zlib: Zlib is a general-purpose, patent-free, lossless data compression library which is used by many different programs.
ruby: RubyGems is the Ruby standard for publishing and managing third party libraries.


Security Fix(es):
zlib: An out-of-bounds access flaw was found in zlib, which allows memory corruption when deflating (ex: when compressing) if the input has many distant matches. For some rare inputs with a large number of distant matches (crafted payloads), the buffer into which the compressed or deflated data is written can overwrite the distance symbol table which it overlays. This issue results in corrupted output due to invalid distances, which leads to out-of-bound access, corrupting the memory and potentially crashing the application.(CVE-2018-25032)
zlib: bugfix
ruby: A buffer overrun vulnerability was found in Ruby. The issue occurs in a conversion algorithm from a String to a Float that causes process termination due to a segmentation fault, but under limited circumstances. This flaw may cause an illegal memory read.(CVE-2022-28739)
ruby: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.06.02B5.

影响组件

  • zlib
  • ruby

影响产品

  • CGSL MAIN 6.06

更新包

{"fix":[{"product":"CGSL MAIN 6.06","pkgs":[{"binary":["zlib-1.2.11-19.0.1.zncgsl6_6.x86_64.rpm","zlib-devel-1.2.11-19.0.1.zncgsl6_6.x86_64.rpm"],"source":"zlib-1.2.11-19.0.1.zncgsl6_6.src.rpm"},{"binary":["rubygems-3.0.3.1-109.module+zncgsl6.6.0+10811+c4e2cb16.noarch.rpm","rubygem-bigdecimal-1.4.1-109.module+zncgsl6.6.0+10811+c4e2cb16.x86_64.rpm","rubygem-io-console-0.4.7-109.module+zncgsl6.6.0+10811+c4e2cb16.x86_64.rpm","rubygem-irb-1.0.0-109.module+zncgsl6.6.0+10811+c4e2cb16.noarch.rpm","rubygem-json-2.1.0-109.module+zncgsl6.6.0+10811+c4e2cb16.x86_64.rpm","rubygem-openssl-2.1.2-109.module+zncgsl6.6.0+10811+c4e2cb16.x86_64.rpm","rubygem-psych-3.1.0-109.module+zncgsl6.6.0+10811+c4e2cb16.x86_64.rpm","rubygem-rdoc-6.1.2.1-109.module+zncgsl6.6.0+10811+c4e2cb16.noarch.rpm","ruby-2.6.10-109.module+zncgsl6.6.0+10811+c4e2cb16.x86_64.rpm","ruby-libs-2.6.10-109.module+zncgsl6.6.0+10811+c4e2cb16.x86_64.rpm"],"source":"ruby-2.6.10-109.module+zncgsl6.6.0+10811+c4e2cb16.src.rpm"}]}]}

CVE

参考