Vulnerabilities > CVE-2016-6293 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Icu-Project International Components for Unicode

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(92556);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id(
    "CVE-2016-5385",
    "CVE-2016-5399",
    "CVE-2016-6207",
    "CVE-2016-6289",
    "CVE-2016-6290",
    "CVE-2016-6291",
    "CVE-2016-6292",
    "CVE-2016-6293",
    "CVE-2016-6294",
    "CVE-2016-6295",
    "CVE-2016-6296",
    "CVE-2016-6297"
  );
  script_bugtraq_id(
    91821,
    92051,
    92073,
    92074,
    92078,
    92094,
    92095,
    92097,
    92099
  );
  script_xref(name:"CERT", value:"797896");
  script_xref(name:"EDB-ID", value:"40155");

  script_name(english:"PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)");
  script_summary(english:"Checks the version of PHP.");

  script_set_attribute(attribute:"synopsis", value:
"The version of PHP running on the remote web server is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple
vulnerabilities :

  - A man-in-the-middle vulnerability exists, known as
    'httpoxy', due to a failure to properly resolve
    namespace conflicts in accordance with RFC 3875 section
    4.1.18. The HTTP_PROXY environment variable is set based
    on untrusted user data in the 'Proxy' header of HTTP
    requests. The HTTP_PROXY environment variable is used by
    some web client libraries to specify a remote proxy
    server. An unauthenticated, remote attacker can exploit
    this, via a crafted 'Proxy' header in an HTTP request,
    to redirect an application's internal HTTP traffic to an
    arbitrary proxy server where it may be observed or
    manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()
    function within file ext/bz2/bz2.c due to improper
    handling of error conditions. An unauthenticated, remote
    attacker can exploit this, via a crafted request, to
    execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),
    specifically in the gdImageScaleTwoPass() function
    within file gd_interpolation.c, due to improper
    validation of user-supplied input. An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition. (CVE-2016-6207)

  - An integer overflow condition exists in the
    virtual_file_ex() function within file
    Zend/zend_virtual_cwd.c due to improper validation of
    user-supplied input. An unauthenticated, remote attacker
    can exploit this to cause a denial of service condition
    or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file
    ext/session/session.c when handling 'var_hash'
    destruction. An unauthenticated, remote attacker can
    exploit this to deference already freed memory,
    resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the
    exif_process_IFD_in_MAKERNOTE() function within file
    ext/exif/exif.c. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the
    exif_process_user_comment() function within file
    ext/exif/exif.c. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the
    locale_accept_from_http() function within file
    ext/intl/locale/locale_methods.c. An unauthenticated,
    remote attacker can exploit these to cause a denial of
    service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file
    ext/snmp/snmp.c when handling garbage collection during
    deserialization of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    deference already freed memory, resulting in the
    execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the
    simplestring_addn() function within file simplestring.c
    due to improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the
    php_stream_zip_opener() function within file
    ext/zip/zip_stream.c due to improper validation of
    user-supplied input when handling zip streams. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics
    Library (libgd), specifically in the
    gdImageScaleBilinearPalette() function within file
    gd_interpolation.c, when handling transparent color. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or disclose
    memory contents.

  - A heap-based buffer overflow condition exists in the
    mdecrypt_generic() function within file
    ext/mcrypt/mcrypt.c due to improper validation of
    user-supplied input. An unauthenticated, remote attacker
    can exploit this to cause a denial of service condition
    or the execution of arbitrary code.

  - A flaw exists in the curl_unescape() function within
    file ext/curl/interface.c when handling string lengths.
    An unauthenticated, remote attacker can exploit this to
    cause heap corruption, resulting in a denial of service
    condition.

  - A heap-based buffer overflow condition exists in the
    mcrypt_generic() function within file
    ext/mcrypt/mcrypt.c due to improper validation of
    user-supplied input. An unauthenticated, remote attacker
    can exploit this to cause a denial of service condition
    or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library
    (libgd) in the gdImageColorTransparent() function due to
    improper handling of negative transparent colors. A
    remote attacker can exploit this to disclose memory
    contents.");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.9");
  script_set_attribute(attribute:"see_also", value:"https://httpoxy.org");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 7.0.9 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6296");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^7(\.0)?$")
  audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
if (version !~ "^7\.0\.") audit(AUDIT_NOT_DETECT, "PHP version 7.0.x", port);

if (version =~ "^7\.0\." && ver_compare(ver:version, fix:"7.0.9", strict:FALSE) < 0){
  security_report_v4(
  port  : port,
  extra :
    '\n  Version source    : ' + source +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : 7.0.9' +
    '\n',
  severity:SECURITY_HOLE
  );
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201701-58.
#
# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(96744);
  script_version("$Revision: 3.1 $");
  script_cvs_date("$Date: 2017/01/25 14:53:04 $");

  script_cve_id("CVE-2015-2632", "CVE-2016-6293", "CVE-2016-7415");
  script_xref(name:"GLSA", value:"201701-58");

  script_name(english:"GLSA-201701-58 : ICU: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201701-58
(ICU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ICU. Please review the
      CVE identifiers referenced below for details.
  
Impact :

    Remote attackers could cause a Denial of Service condition or possibly
      have other unspecified impacts via a long locale string or
      httpAcceptLanguage argument.  Additionally, A remote attacker, via a
      specially crafted file, could cause an application using ICU to parse
      untrusted font files resulting in a Denial of Service condition.
      Finally, remote attackers could affect confidentiality via unknown
      vectors related to 2D.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201701-58"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All ICU users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=dev-libs/icu-58.1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:icu");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"dev-libs/icu", unaffected:make_list("ge 58.1"), vulnerable:make_list("lt 58.1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ICU");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2016-a2b9adcd5c.
#

include("compat.inc");

if (description)
{
  script_id(94618);
  script_version("2.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2016-6293");
  script_xref(name:"FEDORA", value:"2016-a2b9adcd5c");

  script_name(english:"Fedora 24 : icu (2016-a2b9adcd5c)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security fix for CVE-2016-6293

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-a2b9adcd5c"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected icu package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:icu");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/08");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC24", reference:"icu-56.1-5.fc24")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(132129);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");

  script_cve_id(
    "CVE-2014-7923",
    "CVE-2014-7926",
    "CVE-2014-9654",
    "CVE-2015-4844",
    "CVE-2016-6293",
    "CVE-2016-7415",
    "CVE-2017-7867",
    "CVE-2017-7868"
  );
  script_bugtraq_id(
    72288,
    72980
  );

  script_name(english:"EulerOS 2.0 SP3 : icu (EulerOS-SA-2019-2594)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the icu packages installed, the EulerOS
installation on the remote host is affected by the following
vulnerabilities :

  - International Components for Unicode (ICU) for C/C++
    before 2017-02-13 has an out-of-bounds write caused by
    a heap-based buffer overflow related to the
    utf8TextAccess function in common/utext.cpp and the
    utext_moveIndex32* function.(CVE-2017-7868)

  - International Components for Unicode (ICU) for C/C++
    before 2017-02-13 has an out-of-bounds write caused by
    a heap-based buffer overflow related to the
    utf8TextAccess function in common/utext.cpp and the
    utext_setNativeIndex* function.(CVE-2017-7867)

  - Stack-based buffer overflow in the Locale class in
    common/locid.cpp in International Components for
    Unicode (ICU) through 57.1 for C/C++ allows remote
    attackers to cause a denial of service (application
    crash) or possibly have unspecified other impact via a
    long locale string.(CVE-2016-7415)

  - The Regular Expressions package in International
    Components for Unicode (ICU) 52 before SVN revision
    292944, as used in Google Chrome before 40.0.2214.91,
    allows remote attackers to cause a denial of service
    (memory corruption) or possibly have unspecified other
    impact via vectors related to a look-behind
    expression.(CVE-2014-7923)

  - The Regular Expressions package in International
    Components for Unicode (ICU) 52 before SVN revision
    292944, as used in Google Chrome before 40.0.2214.91,
    allows remote attackers to cause a denial of service
    (memory corruption) or possibly have unspecified other
    impact via vectors related to a zero-length
    quantifier.(CVE-2014-7926)

  - The Regular Expressions package in International
    Components for Unicode (ICU) for C/C++ before
    2014-12-03, as used in Google Chrome before
    40.0.2214.91, calculates certain values without
    ensuring that they can be represented in a 24-bit
    field, which allows remote attackers to cause a denial
    of service (memory corruption) or possibly have
    unspecified other impact via a crafted string, a
    related issue to CVE-2014-7923.(CVE-2014-9654)

  - The uloc_acceptLanguageFromHTTP function in
    common/uloc.cpp in International Components for Unicode
    (ICU) through 57.1 for C/C++ does not ensure that there
    is a '\0' character at the end of a certain temporary
    array, which allows remote attackers to cause a denial
    of service (out-of-bounds read) or possibly have
    unspecified other impact via a call with a long
    httpAcceptLanguage argument.(CVE-2016-6293)

  - Unspecified vulnerability in Oracle Java SE 6u101,
    7u85, and 8u60, and Java SE Embedded 8u51, allows
    remote attackers to affect confidentiality, integrity,
    and availability via unknown vectors related to
    2D.(CVE-2015-4844)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2594
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?57a73d45");
  script_set_attribute(attribute:"solution", value:
"Update the affected icu packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libicu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libicu-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["libicu-50.1.2-15.h5",
        "libicu-devel-50.1.2-15.h5"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(92554);
  script_version("1.18");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id(
    "CVE-2015-8879",
    "CVE-2016-5385",
    "CVE-2016-5399",
    "CVE-2016-6207",
    "CVE-2016-6288",
    "CVE-2016-6289",
    "CVE-2016-6290",
    "CVE-2016-6291",
    "CVE-2016-6292",
    "CVE-2016-6293",
    "CVE-2016-6294",
    "CVE-2016-6295",
    "CVE-2016-6296",
    "CVE-2016-6297"
  );
  script_bugtraq_id(
    90842,
    91821,
    92051,
    92073,
    92074,
    92078,
    92094,
    92095,
    92097,
    92099,
    92111
  );
  script_xref(name:"CERT", value:"797896");
  script_xref(name:"EDB-ID", value:"40155");

  script_name(english:"PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)");
  script_summary(english:"Checks the version of PHP.");

  script_set_attribute(attribute:"synopsis", value:
"The version of PHP running on the remote web server is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PHP running on the remote web
server is 5.5.x prior to 5.5.38. It is, therefore, affected by
multiple vulnerabilities :

  - A Segfault condition occurs when accessing
    nvarchar(max) defined columns. (CVE-2015-8879)

  - A man-in-the-middle vulnerability exists, known as
    'httpoxy', due to a failure to properly resolve
    namespace conflicts in accordance with RFC 3875 section
    4.1.18. The HTTP_PROXY environment variable is set based
    on untrusted user data in the 'Proxy' header of HTTP
    requests. The HTTP_PROXY environment variable is used by
    some web client libraries to specify a remote proxy
    server. An unauthenticated, remote attacker can exploit
    this, via a crafted 'Proxy' header in an HTTP request,
    to redirect an application's internal HTTP traffic to an
    arbitrary proxy server where it may be observed or
    manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()
    function within file ext/bz2/bz2.c due to improper
    handling of error conditions. An unauthenticated, remote
    attacker can exploit this, via a crafted request, to
    execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),
    specifically in the gdImageScaleTwoPass() function
    within file gd_interpolation.c, due to improper
    validation of user-supplied input. An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition. (CVE-2016-6207)

  - A buffer overflow condition exists in the
    php_url_parse_ex() function. (CVE-2016-6288)

  - An integer overflow condition exists in the
    virtual_file_ex() function within file
    Zend/zend_virtual_cwd.c due to improper validation of
    user-supplied input. An unauthenticated, remote attacker
    can exploit this to cause a denial of service condition
    or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file
    ext/session/session.c when handling 'var_hash'
    destruction. An unauthenticated, remote attacker can
    exploit this to deference already freed memory,
    resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the
    exif_process_IFD_in_MAKERNOTE() function within file
    ext/exif/exif.c. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the
    exif_process_user_comment() function within file
    ext/exif/exif.c. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the
    locale_accept_from_http() function within file
    ext/intl/locale/locale_methods.c. An unauthenticated,
    remote attacker can exploit these to cause a denial of
    service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file
    ext/snmp/snmp.c when handling garbage collection during
    deserialization of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    deference already freed memory, resulting in the
    execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the
    simplestring_addn() function within file simplestring.c
    due to improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the
    php_stream_zip_opener() function within file
    ext/zip/zip_stream.c due to improper validation of
    user-supplied input when handling zip streams. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics
    Library (libgd), specifically in the
    gdImageScaleBilinearPalette() function within file
    gd_interpolation.c, when handling transparent color. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or disclose
    memory contents.

  - A heap-based buffer overflow condition exists in the
    mdecrypt_generic() function within file
    ext/mcrypt/mcrypt.c due to improper validation of
    user-supplied input. An unauthenticated, remote attacker
    can exploit this to cause a denial of service condition
    or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library
    (libgd) in the gdImageColorTransparent() function due to
    improper handling of negative transparent colors. A
    remote attacker can exploit this to disclose memory
    contents.

  - An overflow condition exists in the php_url_prase_ex()
    function due to improper validation of user-supplied
    input. A remote attacker can exploit this to cause a
    buffer overflow, resulting in a denial of service
    condition.");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.5.38");
  script_set_attribute(attribute:"see_also", value:"https://httpoxy.org");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PHP version 5.5.38 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6290");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("php_version.nasl");
  script_require_keys("www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

php = get_php_from_kb(
  port : port,
  exit_on_fail : TRUE
);

version = php["ver"];
source = php["src"];

backported = get_kb_item('www/php/'+port+'/'+version+'/backported');

if (report_paranoia < 2 && backported)
  audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");

# Check that it is the correct version of PHP
if (version =~ "^5(\.5)?$")
  audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
if (version !~ "^5\.5\.") audit(AUDIT_NOT_DETECT, "PHP version 5.5.x", port);

if (version =~ "^5\.5\." && ver_compare(ver:version, fix:"5.5.38", strict:FALSE) < 0){
  security_report_v4(
  port  : port,
  extra :
    '\n  Version source    : ' + source +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : 5.5.38' +
    '\n',
  severity:SECURITY_HOLE
  );
}
else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-615-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93386);
  script_version("2.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2016-6293");

  script_name(english:"Debian DLA-615-1 : icu security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update fixes a buffer overflow in the uloc_acceptLanguageFromHTTP
function in ICU, the International Components for Unicode C and C++
library, in Debian Wheezy

For Debian 7 'Wheezy', these problems have been fixed in version
4.8.1.1-12+deb7u5.

We recommend that you upgrade your icu packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2016/09/msg00007.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/icu"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:icu-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libicu-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libicu48");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libicu48-dbg");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/09");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"icu-doc", reference:"4.8.1.1-12+deb7u5")) flag++;
if (deb_check(release:"7.0", prefix:"libicu-dev", reference:"4.8.1.1-12+deb7u5")) flag++;
if (deb_check(release:"7.0", prefix:"libicu48", reference:"4.8.1.1-12+deb7u5")) flag++;
if (deb_check(release:"7.0", prefix:"libicu48-dbg", reference:"4.8.1.1-12+deb7u5")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2016-81613d042d.
#

include("compat.inc");

if (description)
{
  script_id(95007);
  script_version("3.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2016-6293");
  script_xref(name:"FEDORA", value:"2016-81613d042d");

  script_name(english:"Fedora 25 : icu (2016-81613d042d)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security fix for CVE-2016-6293

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-81613d042d"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected icu package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:icu");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/21");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC25", reference:"icu-57.1-2.fc25")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(129126);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");

  script_cve_id(
    "CVE-2014-9654",
    "CVE-2015-4844",
    "CVE-2016-0494",
    "CVE-2016-6293",
    "CVE-2016-7415",
    "CVE-2017-7867",
    "CVE-2017-7868"
  );
  script_bugtraq_id(
    72980
  );

  script_name(english:"EulerOS 2.0 SP5 : icu (EulerOS-SA-2019-1969)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the icu packages installed, the EulerOS
installation on the remote host is affected by the following
vulnerabilities :

  - Unspecified vulnerability in the Java SE and Java SE
    Embedded components in Oracle Java SE 6u105, 7u91, and
    8u66 and Java SE Embedded 8u65 allows remote attackers
    to affect confidentiality, integrity, and availability
    via unknown vectors related to 2D.(CVE-2016-0494)

  - Unspecified vulnerability in Oracle Java SE 6u101,
    7u85, and 8u60, and Java SE Embedded 8u51, allows
    remote attackers to affect confidentiality, integrity,
    and availability via unknown vectors related to
    2D.(CVE-2015-4844)

  - Stack-based buffer overflow in the Locale class in
    common/locid.cpp in International Components for
    Unicode (ICU) through 57.1 for C/C++ allows remote
    attackers to cause a denial of service (application
    crash) or possibly have unspecified other impact via a
    long locale string.(CVE-2016-7415)

  - The uloc_acceptLanguageFromHTTP function in
    common/uloc.cpp in International Components for Unicode
    (ICU) through 57.1 for C/C++ does not ensure that there
    is a '\0' character at the end of a certain temporary
    array, which allows remote attackers to cause a denial
    of service (out-of-bounds read) or possibly have
    unspecified other impact via a call with a long
    httpAcceptLanguage argument.(CVE-2016-6293)

  - The Regular Expressions package in International
    Components for Unicode (ICU) for C/C++ before
    2014-12-03, as used in Google Chrome before
    40.0.2214.91, calculates certain values without
    ensuring that they can be represented in a 24-bit
    field, which allows remote attackers to cause a denial
    of service (memory corruption) or possibly have
    unspecified other impact via a crafted string, a
    related issue to CVE-2014-7923.(CVE-2014-9654)

  - International Components for Unicode (ICU) for C/C++
    before 2017-02-13 has an out-of-bounds write caused by
    a heap-based buffer overflow related to the
    utf8TextAccess function in common/utext.cpp and the
    utext_moveIndex32* function.(CVE-2017-7868)

  - A vulnerability was found in the International
    Components for Unicode (ICU). Specially crafted invalid
    utf-8 text, when parsed or manipulated using particular
    functions in libicu, could cause out-of-bounds heap
    reads and writes potentially leading to a crash, memory
    disclosure, or possibly code execution.(CVE-2017-7867)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1969
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b8c289e");
  script_set_attribute(attribute:"solution", value:
"Update the affected icu packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libicu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libicu-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["libicu-50.1.2-15.h5.eulerosv2r7",
        "libicu-devel-50.1.2-15.h5.eulerosv2r7"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2018-517.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(110107);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2014-8146", "CVE-2014-8147", "CVE-2016-6293", "CVE-2017-14952", "CVE-2017-15422", "CVE-2017-17484", "CVE-2017-7867", "CVE-2017-7868");

  script_name(english:"openSUSE Security Update : icu (openSUSE-2018-517)");
  script_summary(english:"Check for the openSUSE-2018-517 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"icu was updated to fix two security issues.

These security issues were fixed :

  - CVE-2014-8147: The resolveImplicitLevels function in
    common/ubidi.c in the Unicode Bidirectional Algorithm
    implementation in ICU4C in International Components for
    Unicode (ICU) used an integer data type that is
    inconsistent with a header file, which allowed remote
    attackers to cause a denial of service (incorrect malloc
    followed by invalid free) or possibly execute arbitrary
    code via crafted text (bsc#929629).

  - CVE-2014-8146: The resolveImplicitLevels function in
    common/ubidi.c in the Unicode Bidirectional Algorithm
    implementation in ICU4C in International Components for
    Unicode (ICU) did not properly track directionally
    isolated pieces of text, which allowed remote attackers
    to cause a denial of service (heap-based buffer
    overflow) or possibly execute arbitrary code via crafted
    text (bsc#929629).

  - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function
    in common/uloc.cpp in International Components for
    Unicode (ICU) for C/C++ did not ensure that there is a
    '\0' character at the end of a certain temporary array,
    which allowed remote attackers to cause a denial of
    service (out-of-bounds read) or possibly have
    unspecified other impact via a call with a long
    httpAcceptLanguage argument (bsc#990636).

  - CVE-2017-7868: International Components for Unicode
    (ICU) for C/C++ 2017-02-13 has an out-of-bounds write
    caused by a heap-based buffer overflow related to the
    utf8TextAccess function in common/utext.cpp and the
    utext_moveIndex32* function (bsc#1034674)

  - CVE-2017-7867: International Components for Unicode
    (ICU) for C/C++ 2017-02-13 has an out-of-bounds write
    caused by a heap-based buffer overflow related to the
    utf8TextAccess function in common/utext.cpp and the
    utext_setNativeIndex* function (bsc#1034678)

  - CVE-2017-14952: Double free in i18n/zonemeta.cpp in
    International Components for Unicode (ICU) for C/C++
    allowed remote attackers to execute arbitrary code via a
    crafted string, aka a 'redundant UVector entry clean up
    function call' issue (bnc#1067203)

  - CVE-2017-17484: The ucnv_UTF8FromUTF8 function in
    ucnv_u8.cpp in International Components for Unicode
    (ICU) for C/C++ mishandled ucnv_convertEx calls for
    UTF-8 to UTF-8 conversion, which allowed remote
    attackers to cause a denial of service (stack-based
    buffer overflow and application crash) or possibly have
    unspecified other impact via a crafted string, as
    demonstrated by ZNC (bnc#1072193)

  - CVE-2017-15422: An integer overflow in icu during
    persian calendar date processing could lead to incorrect
    years shown (bnc#1077999)

This update was imported from the SUSE:SLE-12:Update update project."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034674"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034678"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1067203"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1072193"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1077999"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1087932"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=929629"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=990636"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected icu packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu-data");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu-devel-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-data");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-debuginfo-32bit");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/25");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.3", reference:"icu-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"icu-data-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"icu-debuginfo-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"icu-debugsource-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libicu-devel-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libicu52_1-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libicu52_1-data-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libicu52_1-debuginfo-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libicu-devel-32bit-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libicu52_1-32bit-52.1-18.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libicu52_1-debuginfo-32bit-52.1-18.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu / icu-data / icu-debuginfo / icu-debugsource / etc");
}