openSUSE Security Update : nim (openSUSE-2021-618)

high Nessus Plugin ID 149589

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for nim fixes the following issues :

num was updated to version 1.2.12 :

- Fixed GC crash resulting from inlining of the memory allocation procs

- Fixed “incorrect raises effect for $(NimNode)” (#17454)

From version 1.2.10 :

- Fixed “JS backend doesn’t handle float->int type conversion “ (#8404)

- Fixed “The “try except” not work when the “OSError: Too many open files” error occurs!” (#15925)

- Fixed “Nim emits #line 0 C preprocessor directives with –debugger:native, with ICE in gcc-10”
(#15942)

- Fixed “tfuturevar fails when activated”
(#9695)

- Fixed “nre.escapeRe is not gcsafe” (#16103)

- Fixed ““Error: internal error:
genRecordFieldAux” - in the “version-1-4” branch” (#16069)

- Fixed “-d:fulldebug switch does not compile with gc:arc” (#16214)

- Fixed “osLastError may randomly raise defect and crash” (#16359)

- Fixed “generic importc proc’s don’t work (breaking lots of vmops procs for js)”
(#16428)

- Fixed “Concept: codegen ignores parameter passing” (#16897)

- Fixed “(.push exportc.) interacts with anonymous functions” (#16967)

- Fixed “memory allocation during (.global.) init breaks GC” (#17085)

- Fixed 'Nimble arbitrary code execution for specially crafted package metadata'

+ https://github.com/nim-lang/security/security/advisories /GHSA-rg9f-w24h-962p

+ (boo#1185083, CVE-2021-21372)

- Fixed 'Nimble falls back to insecure http url when fetching packages'

+ https://github.com/nim-lang/security/security/advisories /GHSA-8w52-r35x-rgp8

+ (boo#1185084, CVE-2021-21373)

- Fixed 'Nimble fails to validate certificates due to insecure httpClient defaults'

+ https://github.com/nim-lang/security/security/advisories /GHSA-c2wm-v66h-xhxx

+ (boo#1185085, CVE-2021-21374)

from version 1.2.8

- Fixed “Defer and –gc:arc” (#15071)

- Fixed “Issue with –gc:arc at compile time” (#15129)

- Fixed “Nil check on each field fails in generic function” (#15101)

- Fixed “[strscans] scanf doesn’t match a single character with $+ if it’s the end of the string” (#15064)

- Fixed “Crash and incorrect return values when using readPasswordFromStdin on Windows.” (#15207)

- Fixed “Inconsistent unsigned -> signed RangeDefect usage across integer sizes” (#15210)

- Fixed “toHex results in RangeDefect exception when used with large uint64” (#15257)

- Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)

- Fixed “proc execCmdEx doesn’t work with
-d:useWinAnsi” (#14203)

- Fixed “memory corruption in tmarshall.nim”
(#9754)

- Fixed “Wrong number of variables” (#15360)

- Fixed “defer doesnt work with block, break and await” (#15243)

- Fixed “Sizeof of case object is incorrect.
Showstopper” (#15516)

- Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)

- Fixed “regression(1.0.2 => 1.0.4) VM register messed up depending on unrelated context” (#15704)

from version 1.2.6

- Fixed “The pegs module doesn’t work with generics!” (#14718)

- Fixed “[goto exceptions] (.noReturn.) pragma is not detected in a case expression” (#14458)

- Fixed “[exceptions:goto] C compiler error with dynlib pragma calling a proc” (#14240)

- Fixed “Nim source archive install:
‘install.sh’ fails with error: cp: cannot stat ‘bin/nim-gdb’: No such file or directory” (#14748)

- Fixed “Stropped identifiers don’t work as field names in tuple literals” (#14911)

- Fixed “uri.decodeUrl crashes on incorrectly formatted input” (#14082)

- Fixed “odbcsql module has some wrong integer types” (#9771)

- Fixed “[ARC] Compiler crash declaring a finalizer proc directly in ‘new’” (#15044)

- Fixed “code with named arguments in proc of winim/com can not been compiled” (#15056)

- Fixed “javascript backend produces JavaScript code with syntax error in object syntax” (#14534)

- Fixed “[ARC] SIGSEGV when calling a closure as a tuple field in a seq” (#15038)

- Fixed “Compiler crashes when using string as object variant selector with else branch” (#14189)

- Fixed “Constructing a uint64 range on a 32-bit machine leads to incorrect codegen” (#14616)

Update to version 1.2.2 :

- See https://nim-lang.org/blog.html for details

Update to version 1.0.2 :

- See https://nim-lang.org/blog.html for details

Solution

Update the affected nim packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1185083

https://bugzilla.opensuse.org/show_bug.cgi?id=1185084

https://bugzilla.opensuse.org/show_bug.cgi?id=1185085

http://www.nessus.org/u?c8e0330b

http://www.nessus.org/u?0791b363

http://www.nessus.org/u?8d0b1bba

https://nim-lang.org/blog.html

Plugin Details

Severity: High

ID: 149589

File Name: openSUSE-2021-618.nasl

Version: 1.4

Type: local

Agent: unix

Published: 5/18/2021

Updated: 1/1/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-21374

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-21372

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nim, p-cpe:/a:novell:opensuse:nim-debuginfo, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/25/2021

Vulnerability Publication Date: 3/26/2021

Reference Information

CVE: CVE-2021-21372, CVE-2021-21373, CVE-2021-21374