Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

0.344.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 06 Dec 00:06
· 25 commits to main since this release
0.344.0
6c26671

Notably, this release addresses:

USN-5762-1 USN-5762-1: GNU binutils vulnerability:

  • CVE-2022-38533: In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.

USN-5761-1 USN-5761-1: ca-certificates update:

USN-5760-1 USN-5760-1: libxml2 vulnerabilities:

  • CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
  • CVE-2022-40303: An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.
  • CVE-2022-40304: An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
  • CVE-2022-40304: An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
  • CVE-2022-40303: An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.
  • CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
-ii  binutils                  2.30-21ubuntu1~18.04.7   amd64 GNU assembler, linker and binary utilities
-ii  binutils-common:amd64     2.30-21ubuntu1~18.04.7   amd64 Common files for the GNU assembler, linker and binary utilities
-ii  binutils-x86-64-linux-gnu 2.30-21ubuntu1~18.04.7   amd64 GNU binary utilities, for x86-64-linux-gnu target
+ii  binutils                  2.30-21ubuntu1~18.04.8   amd64 GNU assembler, linker and binary utilities
+ii  binutils-common:amd64     2.30-21ubuntu1~18.04.8   amd64 Common files for the GNU assembler, linker and binary utilities
+ii  binutils-x86-64-linux-gnu 2.30-21ubuntu1~18.04.8   amd64 GNU binary utilities, for x86-64-linux-gnu target
-ii  ca-certificates           20211016~18.04.1         all   Common CA certificates
+ii  ca-certificates           20211016ubuntu0.18.04.1  all   Common CA certificates
-ii  libbinutils:amd64         2.30-21ubuntu1~18.04.7   amd64 GNU binary utilities (private shared library)
+ii  libbinutils:amd64         2.30-21ubuntu1~18.04.8   amd64 GNU binary utilities (private shared library)
-ii  libxml2:amd64             2.9.4+dfsg1-6.1ubuntu1.7 amd64 GNOME XML library
-ii  libxml2-dev:amd64         2.9.4+dfsg1-6.1ubuntu1.7 amd64 Development files for the GNOME XML library
+ii  libxml2:amd64             2.9.4+dfsg1-6.1ubuntu1.8 amd64 GNOME XML library
+ii  libxml2-dev:amd64         2.9.4+dfsg1-6.1ubuntu1.8 amd64 Development files for the GNOME XML library
Assets 3
Loading