安全公告详情

NS-SA-2025-0086

2025-05-28 09:42:35

简介

important: python-setuptools/shim security update

严重级别

important

主题

An update for python-setuptools/shim is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

python-setuptools:
shim:


Security Fix(es):
python-setuptools: A flaw was found in the package_index module of pypa/setuptools. Affected versions of this package allow remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.(CVE-2024-6345)
python-setuptools: bugfix
shim: A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.(CVE-2023-40546)
shim: An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.(CVE-2023-40549)
shim: An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.(CVE-2023-40550)
shim: A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551)
shim: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.02B7.

影响组件

  • python-setuptools
  • shim

影响产品

  • CGSL MAIN 7.02

更新包

{"fix":[{"product":"CGSL MAIN 7.02","pkgs":[{"binary":["python3-setuptools-68.0.0-2.zncgsl7.5.noarch.rpm","python-setuptools-wheel-68.0.0-2.zncgsl7.5.noarch.rpm"],"source":"python-setuptools-68.0.0-2.zncgsl7.5.src.rpm"},{"binary":["shim-x64-15.7-2.zncgsl7.16.x86_64.rpm"],"source":"shim-15.7-2.zncgsl7.16.src.rpm"}]}]}
CGSL MAIN 7.02
  • python-setuptools-68.0.0-2.zncgsl7.5.src.rpm
    • python3-setuptools-68.0.0-2.zncgsl7.5.noarch.rpm
    • python-setuptools-wheel-68.0.0-2.zncgsl7.5.noarch.rpm
  • shim-15.7-2.zncgsl7.16.src.rpm
    • shim-x64-15.7-2.zncgsl7.16.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108