NewStart CGSL CORE 5.05 / MAIN 5.05 : mesa-libGLw Multiple Vulnerabilities (NS-SA-2023-0024)

critical Nessus Plugin ID 174065

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has mesa-libGLw packages installed that are affected by multiple vulnerabilities:

- An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). (CVE-2018-14598)

- An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. (CVE-2018-14599)

- An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. (CVE-2018-14600)

- Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcommon before 0.8.1, which could be used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation. (CVE-2018-15853)

- Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly. (CVE-2018-15854)

- Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because the XkbFile for an xkb_geometry section was mishandled. (CVE-2018-15855)

- An infinite loop when reaching EOL unexpectedly in compose/parser.c (aka the keymap parser) in xkbcommon before 0.8.1 could be used by local attackers to cause a denial of service during parsing of crafted keymap files. (CVE-2018-15856)

- An invalid free in ExprAppendMultiKeysymList in xkbcomp/ast-build.c in xkbcommon before 0.8.1 could be used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file. (CVE-2018-15857)

- Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled. (CVE-2018-15859)

- Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure. (CVE-2018-15861)

- Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers. (CVE-2018-15862)

- Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression. (CVE-2018-15863)

- Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created. (CVE-2018-15864)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL mesa-libGLw packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2023-0024

http://security.gd-linux.com/info/CVE-2018-14598

http://security.gd-linux.com/info/CVE-2018-14599

http://security.gd-linux.com/info/CVE-2018-14600

http://security.gd-linux.com/info/CVE-2018-15853

http://security.gd-linux.com/info/CVE-2018-15854

http://security.gd-linux.com/info/CVE-2018-15855

http://security.gd-linux.com/info/CVE-2018-15856

http://security.gd-linux.com/info/CVE-2018-15857

http://security.gd-linux.com/info/CVE-2018-15859

http://security.gd-linux.com/info/CVE-2018-15861

http://security.gd-linux.com/info/CVE-2018-15862

http://security.gd-linux.com/info/CVE-2018-15863

http://security.gd-linux.com/info/CVE-2018-15864

Plugin Details

Severity: Critical

ID: 174065

File Name: newstart_cgsl_NS-SA-2023-0024_mesa-libGLw.nasl

Version: 1.0

Type: local

Published: 4/11/2023

Updated: 4/11/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-14600

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_core:mesa-libglw, p-cpe:/a:zte:cgsl_main:mesa-libglw, cpe:/o:zte:cgsl_main:5, cpe:/o:zte:cgsl_core:5, p-cpe:/a:zte:cgsl_main:mesa-libglw-debuginfo, p-cpe:/a:zte:cgsl_core:mesa-libglw-debuginfo, p-cpe:/a:zte:cgsl_core:mesa-libglw-devel, p-cpe:/a:zte:cgsl_main:mesa-libglw-devel

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 4/11/2023

Vulnerability Publication Date: 8/21/2018

Reference Information

CVE: CVE-2018-14598, CVE-2018-14599, CVE-2018-14600, CVE-2018-15853, CVE-2018-15854, CVE-2018-15855, CVE-2018-15856, CVE-2018-15857, CVE-2018-15859, CVE-2018-15861, CVE-2018-15862, CVE-2018-15863, CVE-2018-15864