Giters

MagnetForensics / dumpit-linux

Memory acquisition for Linux that makes sense.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

vergen-7.4.3.crate: 3 vulnerabilities (highest severity is: 9.8)

mend-for-github-com opened this issue · comments

commented
Vulnerable Library - vergen-7.4.3.crate

Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (vergen version) Remediation Available
CVE-2022-37434 High 9.8 detected in multiple dependencies Transitive N/A*
CVE-2018-25032 High 7.5 detected in multiple dependencies Transitive N/A*
WS-2020-0368 Medium 6.5 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-37434

Vulnerable Libraries - libz-sys-1.1.8.crate, libgit2-sys-0.13.4+1.4.2.crate

libz-sys-1.1.8.crate

Low-level bindings to the system libz library (also known as zlib).

Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download

Dependency Hierarchy:

  • vergen-7.4.3.crate (Root Library)
    • git2-0.14.4.crate
      • libgit2-sys-0.13.4+1.4.2.crate
        • libz-sys-1.1.8.crate (Vulnerable Library)

libgit2-sys-0.13.4+1.4.2.crate

Native bindings to the libgit2 library

Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download

Dependency Hierarchy:

  • vergen-7.4.3.crate (Root Library)
    • git2-0.14.4.crate
      • libgit2-sys-0.13.4+1.4.2.crate (Vulnerable Library)

Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc

Found in base branch: main

Vulnerability Details

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Publish Date: 2022-08-05

URL: CVE-2022-37434

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2018-25032

Vulnerable Libraries - libgit2-sys-0.13.4+1.4.2.crate, libz-sys-1.1.8.crate

libgit2-sys-0.13.4+1.4.2.crate

Native bindings to the libgit2 library

Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download

Dependency Hierarchy:

  • vergen-7.4.3.crate (Root Library)
    • git2-0.14.4.crate
      • libgit2-sys-0.13.4+1.4.2.crate (Vulnerable Library)

libz-sys-1.1.8.crate

Low-level bindings to the system libz library (also known as zlib).

Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download

Dependency Hierarchy:

  • vergen-7.4.3.crate (Root Library)
    • git2-0.14.4.crate
      • libgit2-sys-0.13.4+1.4.2.crate
        • libz-sys-1.1.8.crate (Vulnerable Library)

Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc

Found in base branch: main

Vulnerability Details

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Publish Date: 2022-03-25

URL: CVE-2018-25032

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-25032

Release Date: 2022-03-25

Fix Resolution: libstd-rs - 1.57.0;bioconductor-netreg - 1.13.1;tcl - 8.6.11;sudo - 1.8.32;bjam-native - 1.74.0;ccache - 4.1,3.3.4;libgit2 - 1.3.0;cmake - 3.19.5,3.7.2,3.7.0,3.22.0,3.17.3;slamdunk - 0.4.0;rsync - 3.2.1;cmake-native - 3.15.5,3.18.4,3.17.3,3.22.0,3.7.0;mentalist - 0.2.3;ghostscript - 9.55.0

WS-2020-0368

Vulnerable Libraries - libz-sys-1.1.8.crate, libgit2-sys-0.13.4+1.4.2.crate

libz-sys-1.1.8.crate

Low-level bindings to the system libz library (also known as zlib).

Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download

Dependency Hierarchy:

  • vergen-7.4.3.crate (Root Library)
    • git2-0.14.4.crate
      • libgit2-sys-0.13.4+1.4.2.crate
        • libz-sys-1.1.8.crate (Vulnerable Library)

libgit2-sys-0.13.4+1.4.2.crate

Native bindings to the libgit2 library

Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download

Dependency Hierarchy:

  • vergen-7.4.3.crate (Root Library)
    • git2-0.14.4.crate
      • libgit2-sys-0.13.4+1.4.2.crate (Vulnerable Library)

Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc

Found in base branch: main

Vulnerability Details

Zlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate.
There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.

Publish Date: 2020-02-22

URL: WS-2020-0368

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0368

Release Date: 2020-02-22

Fix Resolution: cmake-native - 3.15.5;binutils-cross-testsuite - 2.35;libstd-rs - 1.57.0;gdb - 11.1,9.2;tcl - 8.6.11;sudo - 1.8.32;binutils - 2.35,2.28;ccache - 3.3.3,4.1;libgit2 - 1.3.0;cmake - 3.19.5,3.7.0,3.7.2,3.22.0,3.17.3;cmake-native - 3.17.3,3.7.0,3.22.0,3.18.4;ghostscript - 9.55.0

commented

This package is only used in build-dependencies which is low priority and the latest version of vergen is 7.4.3 - https://github.com/rustyhorde/vergen