Debian alert DLA-2996-1 (mruby)
| From: | Abhijith PA <abhijith@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 2996-1] mruby security update | |
| Date: | Fri, 06 May 2022 13:53:30 +0530 | |
| Message-ID: | <YnTbAhG+NinH29bs@disroot.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2996-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA May 06, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : mruby Version : 1.2.0+20161228+git30d5424a-1+deb9u1 CVE ID : CVE-2017-9527 CVE-2018-10191 CVE-2018-11743 CVE-2018-12249 CVE-2018-14337 CVE-2020-15866 Multiple security issues were discovered in mruby, a lightweight implementation of the Ruby language CVE-2017-9527 heap-based use-after-free vulnerability allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .rb file CVE-2018-10191 an integer overflow exists when handling OP_GETUPVAR in the presence of deep scope nesting, resulting in a use-after-free. An attacker that can cause Ruby code to be run can use this to possibly execute arbitrary code CVE-2018-11743 uninitialized pointer which allows attackers to cause a denial of service or possibly have unspecified other impact. CVE-2018-12249 There is a NULL pointer dereference in mrb_class_real because "class BasicObject" is not properly supported in class.c. CVE-2018-14337 a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length CVE-2020-15866 a heap-based buffer overflow in the mrb_yield_with_class function in vm.c because of incorrect VM stack handling For Debian 9 stretch, these problems have been fixed in version 1.2.0+20161228+git30d5424a-1+deb9u1. We recommend that you upgrade your mruby packages. For the detailed security status of mruby please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mruby Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJ02wIACgkQhj1N8u2c KO9D5Q/9HNnc1LRSZ7lJm8+yE+sN9Pd+58VprfzlSC5VQoxkRM0UBMUPrDzfLyTj fs6rUn6tt78+XTorGj2nkB4REzEXVAcsdq09BZTs5kdQmYHxK1wSOcQKj6Dc5r34 jQcExVJvjWehqjKc7Y75OXIBCzzh7qBZnyDdM80Buaz1i4nSCpUCnFpcNLrlIhP5 AvYSuRyMBXTgPHY4XDvgBCMSuwq+Y5hf+6PWJXH/S/9g51lfvgz0dvhzR+zM2oQH 70CKeGVYhWugqpXFXlSFijeaDZAY2rBZCYvLvWistPSvNUVabrARaYNZPiAjGjYh Z/k8tYKyV7pIv3sJft/8cMmK3hqQ9ZDrvPH0r9qBE0WfD/syexcpM2VHKSOQU+4n nAWIo1TIp9vx5ob23vr+i/sg3CxRR5XeMLBrCGKsBqJBDnubRnJm/Zgm+euLgmDd tCLOZG+KzNcf4Qtv5DlmpmKMFvbFRrEuYjPoQvKjykc/XqKnXel7VsW2yU4Qnr4l 5vOSBe1G2fXcJmYoPo1AB5LUBgYKygmEfX6WGXA9fdK5P3/JXBYUCo6c+AGTxEFZ wcBKrc9f0LgwC65/mioAT02BRGQ4BjWeYbV38uX9f3KW8g+DnAaS7ao90ySMDu+d lZEMt63HrehZxJheZMuqNdkHjeDiaLcZSjR15d460064SC2CbqM= =b/x/ -----END PGP SIGNATURE-----