Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

0.351.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 09 Feb 19:56
· 18 commits to main since this release
0.351.0
b06769c

Notably, this release addresses:

USN-5849-1 USN-5849-1: Heimdal vulnerabilities:

USN-5845-1 USN-5845-1: OpenSSL vulnerabilities:

  • CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
  • CVE-2023-0215: The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.
  • CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
  • CVE-2023-0215: The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.

USN-5844-1 USN-5844-1: OpenSSL vulnerabilities:

  • CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
  • CVE-2022-4203: X.509 Name Constraints Read Buffer Overflow
  • CVE-2022-4304: A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
  • CVE-2022-4450: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
  • CVE-2023-0215: The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.
  • CVE-2023-0216: An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.
  • CVE-2023-0217: An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.
  • CVE-2023-0401: A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.
  • CVE-2023-0217: An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.
  • CVE-2022-4304: A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
  • CVE-2023-0215: The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.
  • CVE-2022-4450: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
  • CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
  • CVE-2023-0401: A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.
  • CVE-2022-4203: X.509 Name Constraints Read Buffer Overflow
  • CVE-2023-0216: An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.

USN-5825-2 USN-5825-2: PAM regressions:

  • CVE-2022-28321: The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.
  • https://launchpad.net/bugs/2006073: PAM: CVE-2022-28321 patch not correctly applied

USN-5825-1 USN-5825-1: PAM vulnerability:

  • CVE-2022-28321: The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.

USN-5806-2 USN-5806-2: Ruby vulnerability:

  • CVE-2021-33621: The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

USN-5810-2 USN-5810-2: Git regression:

  • CVE-2022-23521: Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
  • CVE-2022-41903: Git is distributed revision control system. git log can display commits in an arbitrary format using its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute. When processing the padding operators, there is a integer overflow in pretty.c::format_and_pad_commit() where a size_t is stored improperly as an int, and then added as an offset to a memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false.
  • https://launchpad.net/bugs/2003246: Git 2.25.1 CVE-2022-23521 patches may be missing a small portion of the fixes

USN-5811-1 USN-5811-1: Sudo vulnerabilities:

  • CVE-2023-22809: In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
  • CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
  • CVE-2023-22809: In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
  • CVE-2022-33070: Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

USN-5810-1 USN-5810-1: Git vulnerabilities:

  • CVE-2022-23521: Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
  • CVE-2022-41903: Git is distributed revision control system. git log can display commits in an arbitrary format using its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute. When processing the padding operators, there is a integer overflow in pretty.c::format_and_pad_commit() where a size_t is stored improperly as an int, and then added as an offset to a memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false.
  • CVE-2022-41903: Git is distributed revision control system. git log can display commits in an arbitrary format using its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute. When processing the padding operators, there is a integer overflow in pretty.c::format_and_pad_commit() where a size_t is stored improperly as an int, and then added as an offset to a memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false.
  • CVE-2022-23521: Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.

USN-5807-1 USN-5807-1: libXpm vulnerabilities:

  • CVE-2022-44617: A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.
  • CVE-2022-46285: A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.
  • CVE-2022-4883: A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
  • CVE-2022-46285: A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.
  • CVE-2022-44617: A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.
  • CVE-2022-4883: A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.

USN-5801-1 USN-5801-1: Vim vulnerabilities:

  • CVE-2022-0392: Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.
  • CVE-2022-0417: Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.
  • CVE-2022-0392: Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.
  • CVE-2022-0417: Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.
-ii  git                        1:2.17.1-1ubuntu0.13      amd64 fast, scalable, distributed revision control system
-ii  git-man                    1:2.17.1-1ubuntu0.13      all   fast, scalable, distributed revision control system (manual pages)
+ii  git                        1:2.17.1-1ubuntu0.15      amd64 fast, scalable, distributed revision control system
+ii  git-man                    1:2.17.1-1ubuntu0.15      all   fast, scalable, distributed revision control system (manual pages)
-ii  krb5-multidev:amd64        1.16-2ubuntu0.2           amd64 development files for MIT Kerberos without Heimdal conflict
-ii  krb5-user                  1.16-2ubuntu0.2           amd64 basic programs to authenticate using MIT Kerberos
+ii  krb5-multidev:amd64        1.16-2ubuntu0.3           amd64 development files for MIT Kerberos without Heimdal conflict
+ii  krb5-user                  1.16-2ubuntu0.3           amd64 basic programs to authenticate using MIT Kerberos
-ii  libasn1-8-heimdal:amd64    7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - ASN.1 library
+ii  libasn1-8-heimdal:amd64    7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - ASN.1 library
-ii  libgssapi-krb5-2:amd64     1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
-ii  libgssapi3-heimdal:amd64   7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - GSSAPI support library
-ii  libgssrpc4:amd64           1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries - GSS enabled ONCRPC
+ii  libgssapi-krb5-2:amd64     1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
+ii  libgssapi3-heimdal:amd64   7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - GSSAPI support library
+ii  libgssrpc4:amd64           1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries - GSS enabled ONCRPC
-ii  libhcrypto4-heimdal:amd64  7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - crypto library
-ii  libheimbase1-heimdal:amd64 7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - Base library
-ii  libheimntlm0-heimdal:amd64 7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - NTLM support library
+ii  libhcrypto4-heimdal:amd64  7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - crypto library
+ii  libheimbase1-heimdal:amd64 7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - Base library
+ii  libheimntlm0-heimdal:amd64 7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - NTLM support library
-ii  libhx509-5-heimdal:amd64   7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - X509 support library
+ii  libhx509-5-heimdal:amd64   7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - X509 support library
-ii  libk5crypto3:amd64         1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries - Crypto Library
-ii  libkadm5clnt-mit11:amd64   1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries - Administration Clients
-ii  libkadm5srv-mit11:amd64    1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries - KDC and Admin Server
-ii  libkdb5-9:amd64            1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries - Kerberos database
+ii  libk5crypto3:amd64         1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries - Crypto Library
+ii  libkadm5clnt-mit11:amd64   1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries - Administration Clients
+ii  libkadm5srv-mit11:amd64    1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries - KDC and Admin Server
+ii  libkdb5-9:amd64            1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries - Kerberos database
-ii  libkrb5-26-heimdal:amd64   7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - libraries
-ii  libkrb5-3:amd64            1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries
-ii  libkrb5-dev:amd64          1.16-2ubuntu0.2           amd64 headers and development libraries for MIT Kerberos
-ii  libkrb5support0:amd64      1.16-2ubuntu0.2           amd64 MIT Kerberos runtime libraries - Support library
+ii  libkrb5-26-heimdal:amd64   7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - libraries
+ii  libkrb5-3:amd64            1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries
+ii  libkrb5-dev:amd64          1.16-2ubuntu0.3           amd64 headers and development libraries for MIT Kerberos
+ii  libkrb5support0:amd64      1.16-2ubuntu0.3           amd64 MIT Kerberos runtime libraries - Support library
-ii  libpam-modules:amd64       1.1.8-3.6ubuntu2.18.04.3  amd64 Pluggable Authentication Modules for PAM
-ii  libpam-modules-bin         1.1.8-3.6ubuntu2.18.04.3  amd64 Pluggable Authentication Modules for PAM - helper binaries
-ii  libpam-runtime             1.1.8-3.6ubuntu2.18.04.3  all   Runtime support for the PAM library
-ii  libpam0g:amd64             1.1.8-3.6ubuntu2.18.04.3  amd64 Pluggable Authentication Modules library
+ii  libpam-modules:amd64       1.1.8-3.6ubuntu2.18.04.6  amd64 Pluggable Authentication Modules for PAM
+ii  libpam-modules-bin         1.1.8-3.6ubuntu2.18.04.6  amd64 Pluggable Authentication Modules for PAM - helper binaries
+ii  libpam-runtime             1.1.8-3.6ubuntu2.18.04.6  all   Runtime support for the PAM library
+ii  libpam0g:amd64             1.1.8-3.6ubuntu2.18.04.6  amd64 Pluggable Authentication Modules library
-ii  libroken18-heimdal:amd64   7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - roken support library
+ii  libroken18-heimdal:amd64   7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - roken support library
-ii  libruby2.5:amd64           2.5.1-1ubuntu1.12         amd64 Libraries necessary to run Ruby 2.5
+ii  libruby2.5:amd64           2.5.1-1ubuntu1.13         amd64 Libraries necessary to run Ruby 2.5
-ii  libssl-dev:amd64           1.1.1-1ubuntu2.1~18.04.20 amd64 Secure Sockets Layer toolkit - development files
-ii  libssl1.0.0:amd64          1.0.2n-1ubuntu5.10        amd64 Secure Sockets Layer toolkit - shared libraries
-ii  libssl1.1:amd64            1.1.1-1ubuntu2.1~18.04.20 amd64 Secure Sockets Layer toolkit - shared libraries
+ii  libssl-dev:amd64           1.1.1-1ubuntu2.1~18.04.21 amd64 Secure Sockets Layer toolkit - development files
+ii  libssl1.0.0:amd64          1.0.2n-1ubuntu5.11        amd64 Secure Sockets Layer toolkit - shared libraries
+ii  libssl1.1:amd64            1.1.1-1ubuntu2.1~18.04.21 amd64 Secure Sockets Layer toolkit - shared libraries
-ii  libwind0-heimdal:amd64     7.5.0+dfsg-1ubuntu0.3     amd64 Heimdal Kerberos - stringprep implementation
+ii  libwind0-heimdal:amd64     7.5.0+dfsg-1ubuntu0.4     amd64 Heimdal Kerberos - stringprep implementation
-ii  libxpm-dev:amd64           1:3.5.12-1                amd64 X11 pixmap library (development headers)
-ii  libxpm4:amd64              1:3.5.12-1                amd64 X11 pixmap library
+ii  libxpm-dev:amd64           1:3.5.12-1ubuntu0.18.04.2 amd64 X11 pixmap library (development headers)
+ii  libxpm4:amd64              1:3.5.12-1ubuntu0.18.04.2 amd64 X11 pixmap library
-ii  linux-libc-dev:amd64       4.15.0-202.213            amd64 Linux Kernel Headers for development
+ii  linux-libc-dev:amd64       4.15.0-204.215            amd64 Linux Kernel Headers for development
-ii  openssl                    1.1.1-1ubuntu2.1~18.04.20 amd64 Secure Sockets Layer toolkit - cryptographic utility
-ii  openssl1.0                 1.0.2n-1ubuntu5.10        amd64 Secure Sockets Layer toolkit 1.0 - cryptographic utility
+ii  openssl                    1.1.1-1ubuntu2.1~18.04.21 amd64 Secure Sockets Layer toolkit - cryptographic utility
+ii  openssl1.0                 1.0.2n-1ubuntu5.11        amd64 Secure Sockets Layer toolkit 1.0 - cryptographic utility
-ii  python3-pkg-resources      39.0.1-2                  all   Package Discovery and Resource Access using pkg_resources
+ii  python3-pkg-resources      39.0.1-2ubuntu0.1         all   Package Discovery and Resource Access using pkg_resources
-ii  ruby2.5                    2.5.1-1ubuntu1.12         amd64 Interpreter of object-oriented scripting language Ruby
+ii  ruby2.5                    2.5.1-1ubuntu1.13         amd64 Interpreter of object-oriented scripting language Ruby
-ii  sudo                       1.8.21p2-3ubuntu1.4       amd64 Provide limited super user privileges to specific users
+ii  sudo                       1.8.21p2-3ubuntu1.5       amd64 Provide limited super user privileges to specific users
-ii  ubuntu-advantage-tools     27.12~18.04.1             amd64 management tools for Ubuntu Pro
+ii  ubuntu-advantage-tools     27.13.3~18.04.1           amd64 management tools for Ubuntu Pro
Assets 3
Loading