Main Vulnerability Database SB2022062255

SB2022062255 - Fedora 36 update for apptainer, asciigraph, buildah, butane, caddy, cheat, clipman, cri-o, deepin-gir-generator, docker-distribution, git-lfs, git-octopus, gmailctl, go-bindata, godep, golang, golang-ariga-atlas, golang-entgo-ent, golang-github-chromedp,

Published: June 22, 2022

Security Bulletin ID SB2022062255

Severity

Medium

Patch available

YES

Number of vulnerabilities 6

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Overly permissive cross-domain whitelist (CVE-ID: CVE-2022-1996)

The vulnerability allows a remote attacker to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request. A remote attacker can supply arbitrary value via the "Origin" HTTP header, bypass implemented CORS protection mechanism and perform cross-site scripting attacks against the vulnerable application.

2) Buffer overflow (CVE-ID: CVE-2022-24675)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the Golang's library encoding/pem. A remote attacker can send to victim a large (more than 5 MB) PEM input to cause a stack overflow in Decode and perform a denial of service (DoS) attack.

3) Integer overflow (CVE-ID: CVE-2022-28327)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to integer overflow in the Golang's library crypto/elliptic. A remote attacker can send a specially crafted scalar input longer than 32 bytes to cause P256().ScalarMult or P256().ScalarBaseMult to panic and perform a denial of service attack.

4) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-27191)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b, as used in Go programming language. A remote attacker can crash a server in certain circumstances involving AddHostKey.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-29526)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the Faccessat function can incorrectly report that a file is accessible, when called with a non-zero flags parameter. An attacker can bypass implemented security restrictions.

6) Use of insufficiently random values (CVE-ID: CVE-2022-30629)

The vulnerability allows a remote attacker gain access to sensitive information.

The vulnerability exists in crypto/tls implementation when generating TLS tickets age. The newSessionTicketMsgTLS13.ageAdd is always set to "0" instead of a random value.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2022-ba365d3703

Vulnerable Software

Fedora: 36
xe-guest-utilities-latest: before 7.30.0-4.fc36
skopeo: before 1.8.0-9.fc36
singularity: before 3.8.7-2.fc36
runc: before 1.1.1-2.fc36
restic: before 0.12.1-3.fc36
reposurgeon: before 4.32-2.fc36
podman: before 4.1.1-2.fc36
pack: before 0.27.0~rc1-4.fc36
osbuild-composer: before 55-2.fc36
origin: before 3.11.2-6.fc36
oci-seccomp-bpf-hook: before 1.2.5-3.fc36
manifest-tool: before 2.0.3-2.fc36
kompose: before 1.17.0-9.fc36
kata-containers: before 2.3.3-2.fc36.1
ignition: before 2.14.0-2.fc36
gron: before 0.7.1-2.fc36
grafana-pcp: before 3.2.0-3.fc36
grafana: before 7.5.15-3.fc36
gotun: before 0-0.14.gita9dbe4d.fc36
google-guest-agent: before 20201217.02-4.fc36
gomtree: before 0.4.0-11.fc36
golang-starlark: before 0-0.7.20210113gite81fc95.fc36
golang-rsc-pdf: before 0.1.1-10.fc36
golang-github-zyedidia-highlight: before 0-0.6.20200218git291680f.fc36
golang-github-tscholl2-siec: before 0-3.20211128git9bdfc48.fc36
golang-github-tomnomnom-xtermcolor: before 0.1.2-8.fc36
golang-github-sqshq-sampler: before 1.1.0-9.fc36
golang-github-segmentio-ksuid: before 1.0.4-3.fc36
golang-github-rickb777-date: before 1.19.1-2.fc36
golang-github-msprev-fzf-bibtex: before 1.1-5.20220205gitd5df2c6.fc36
golang-github-mozillazg-pinyin: before 0.19.0-4.fc36
golang-github-mbndr-figlet4go: before 0-0.8.20191009gitd6cef5b.fc36
golang-github-lunixbochs-vtclean: before 1.0.0-8.fc36
golang-github-lofanmi-pinyin: before 1.0-4.fc36
golang-github-letsencrypt-pebble: before 2.3.1-5.fc36
golang-github-kalafut-imohash: before 1.0.2-3.fc36
golang-github-heistp-irtt: before 0.9.1-2.fc36
golang-github-google-dap: before 0.4.0-4.fc36
golang-github-elves-elvish: before 0.15.0-4.fc36
golang-github-client9-gospell: before 0-0.11.20190524git90dfc71.fc36
golang-github-chromedp: before 0.8.1-2.fc36
golang-entgo-ent: before 0.10.0-4.fc36
golang-ariga-atlas: before 0.3.6-3.fc36
golang: before 1.18.3-2.fc36
godep: before 62-17.fc36
go-bindata: before 3.0.7-22.gita0ff256.fc36
gmailctl: before 0.10.4-3.fc36
git-octopus: before 2.0-0.4.beta.3.fc36.12
git-lfs: before 3.1.2-4.fc36
docker-distribution: before 2.6.2-17.git48294d9.fc36
deepin-gir-generator: before 2.1.0-3.fc36
cri-o: before 1.24.1-2.fc36
clipman: before 1.6.1-3.fc36
cheat: before 4.2.2-4.fc36
caddy: before 2.4.6-3.fc36
butane: before 0.14.0-2.fc36
buildah: before 1.26.1-4.fc36
asciigraph: before 0.5.5-2.fc36
apptainer: before 1.0.2-2.fc36