openSUSE Security Update : nasm (openSUSE-2020-952)

high Nessus Plugin ID 138733

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for nasm fixes the following issues :

nasm was updated to version 2.14.02.

This allows building of Mozilla Firefox 78ESR and also contains lots of bugfixes, security fixes and improvements.

- Fix crash due to multiple errors or warnings during the code generation pass if a list file is specified.

- Create all system-defined macros defore processing command-line given preprocessing directives (-p, -d, -u,
--pragma, --before).

- If debugging is enabled, define a __DEBUG_FORMAT__ predefined macro. See section 4.11.7.

- Fix an assert for the case in the obj format when a SEG operator refers to an EXTERN symbol declared further down in the code.

- Fix a corner case in the floating-point code where a binary, octal or hexadecimal floating-point having at least 32, 11, or 8 mantissa digits could produce slightly incorrect results under very specific conditions.

- Support -MD without a filename, for gcc compatibility.
-MF can be used to set the dependencies output filename.
See section 2.1.7.

- Fix -E in combination with -MD. See section 2.1.21.

- Fix missing errors on redefined labels; would cause convergence failure instead which is very slow and not easy to debug.

- Duplicate definitions of the same label with the same value is now explicitly permitted (2.14 would allow it in some circumstances.)

- Add the option --no-line to ignore %line directives in the source. See section 2.1.33 and section 4.10.1.

- Changed -I option semantics by adding a trailing path separator unconditionally.

- Fixed null dereference in corrupted invalid single line macros.

- Fixed division by zero which may happen if source code is malformed.

- Fixed out of bound access in processing of malformed segment override.

- Fixed out of bound access in certain EQU parsing.

- Fixed buffer underflow in float parsing.

- Added SGX (Intel Software Guard Extensions) instructions.

- Added +n syntax for multiple contiguous registers.

- Fixed subsections_via_symbols for macho object format.

- Added the --gprefix, --gpostfix, --lprefix, and
--lpostfix command line options, to allow command line base symbol renaming. See section 2.1.28.

- Allow label renaming to be specified by %pragma in addition to from the command line. See section 6.9.

- Supported generic %pragma namespaces, output and debug.
See section 6.10.

- Added the --pragma command line option to inject a %pragma directive. See section 2.1.29.

- Added the --before command line option to accept preprocess statement before input. See section 2.1.30.

- Added AVX512 VBMI2 (Additional Bit Manipulation), VNNI (Vector Neural Network), BITALG (Bit Algorithm), and GFNI (Galois Field New Instruction) instructions.

- Added the STATIC directive for local symbols that should be renamed using global-symbol rules. See section 6.8.

- Allow a symbol to be defined as EXTERN and then later overridden as GLOBAL or COMMON. Furthermore, a symbol declared EXTERN and then defined will be treated as GLOBAL. See section 6.5.

- The GLOBAL directive no longer is required to precede the definition of the symbol.

- Support private_extern as macho specific extension to the GLOBAL directive. See section 7.8.5.

- Updated UD0 encoding to match with the specification

- Added the --limit-X command line option to set execution limits. See section 2.1.31.

- Updated the Codeview version number to be aligned with MASM.

- Added the --keep-all command line option to preserve output files. See section 2.1.32.

- Added the --include command line option, an alias to -P (section 2.1.18).

- Added the --help command line option as an alias to -h (section 3.1).

- Added -W, -D, and -Q suffix aliases for RET instructions so the operand sizes of these instructions can be encoded without using o16, o32 or o64.

New upstream version 2.13.03 :

- Add flags: AES, VAES, VPCLMULQDQ

- Add VPCLMULQDQ instruction

- elf: Add missing dwarf loc section

- documentation updates This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected nasm packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1084631

https://bugzilla.opensuse.org/show_bug.cgi?id=1086186

https://bugzilla.opensuse.org/show_bug.cgi?id=1086227

https://bugzilla.opensuse.org/show_bug.cgi?id=1086228

https://bugzilla.opensuse.org/show_bug.cgi?id=1090519

https://bugzilla.opensuse.org/show_bug.cgi?id=1090840

https://bugzilla.opensuse.org/show_bug.cgi?id=1106878

https://bugzilla.opensuse.org/show_bug.cgi?id=1107592

https://bugzilla.opensuse.org/show_bug.cgi?id=1107594

https://bugzilla.opensuse.org/show_bug.cgi?id=1108404

https://bugzilla.opensuse.org/show_bug.cgi?id=1115758

https://bugzilla.opensuse.org/show_bug.cgi?id=1115774

https://bugzilla.opensuse.org/show_bug.cgi?id=1115795

https://bugzilla.opensuse.org/show_bug.cgi?id=1173538

Plugin Details

Severity: High

ID: 138733

File Name: openSUSE-2020-952.nasl

Version: 1.5

Type: local

Agent: unix

Published: 7/20/2020

Updated: 2/29/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-8881

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2018-8883

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nasm, p-cpe:/a:novell:opensuse:nasm-debuginfo, cpe:/o:novell:opensuse:15.1, p-cpe:/a:novell:opensuse:nasm-debugsource

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/13/2020

Vulnerability Publication Date: 3/20/2018

Reference Information

CVE: CVE-2018-1000667, CVE-2018-10016, CVE-2018-10254, CVE-2018-10316, CVE-2018-16382, CVE-2018-16517, CVE-2018-16999, CVE-2018-19214, CVE-2018-19215, CVE-2018-19216, CVE-2018-8881, CVE-2018-8882, CVE-2018-8883