Vulnerabilities > CVE-2019-6129 - Memory Leak vulnerability in Libpng 1.6.36

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(126820);
  script_version("1.3");
  script_cvs_date("Date: 2019/10/21 11:55:47");

  script_cve_id(
    "CVE-2019-2745",
    "CVE-2019-2762",
    "CVE-2019-2766",
    "CVE-2019-2769",
    "CVE-2019-2786",
    "CVE-2019-2816",
    "CVE-2019-2818",
    "CVE-2019-2821",
    "CVE-2019-2842",
    "CVE-2019-6129",
    "CVE-2019-7317"
  );
  script_bugtraq_id(
    108098,
    109184,
    109185,
    109186,
    109187,
    109188,
    109189,
    109201,
    109206,
    109210,
    109212
  );
  script_xref(name:"IAVA", value:"2019-A-0255");

  script_name(english:"Oracle Java SE 1.7.0_231 / 1.8.0_221 / 1.11.0_4 / 1.12.0_2 Multiple Vulnerabilities (Jul 2019 CPU) (Unix)");
  script_summary(english:"Checks the version of the JRE.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Unix host contains a programming platform that is affected
by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle (formerly Sun) Java SE or Java for Business
installed on the remote host is prior to 7 Update 231, 8 Update 221,
11 Update 4, or 12 Update 2. It is, therefore, affected by multiple
vulnerabilities:

  - Unspecified vulnerabilities in the utilities and JCE 
    subcomponents of Oracle Java SE, which could allow an 
    unauthenticated remote attacker to cause a partial denial 
    of service. (CVE-2019-2762, CVE-2019-2769, CVE-2019-2842)

  - An unspecified vulnerability in the security subcomponent 
    of Oracle Java SE, which could allow an unauthenticated 
    local attacker to gain unauthorized access to critical Java 
    SE data. (CVE-2019-2745)

  - Unspecified vulnerabilities in the networking and security 
    subcomponents of Oracle Java SE, which could allow an 
    unauthenticated remote attacker to gain unauthorized 
    access to Java SE data. Exploitation of this vulnerability 
    requires user interaction. 
    (CVE-2019-2766, CVE-2019-2786, CVE-2019-2818)

  - An unspecified vulnerability in the networking subcomponent
    of Oracle Java SE, which could allow an unauthenticated 
    remote attacker unauthorized read, update, insert or
    delete access to Java SE data. (CVE-2019-2816)

  - An unspecified vulnerability in the JSSE subcomponent of 
    Oracle Java SE, which could allow an unauthenticated, 
    remote attacker to gain unauthorized access to critical
    Java SE data. Exploitation of this vulnerability requires 
    user interaction. (CVE-2019-2821)

  - A use after free vulnerability exists in the libpng 
    subcomponent of Oracle Java SE. An unauthenticated, 
    remote attacker can exploit this to cause a complete
    denial of service condition in Java SE. Exploitation 
    of this vulnerability requires user interaction.
    (CVE-2019-7317)

Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9aa2b901");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle JDK / JRE 12 Update 2 , 11 Update 4, 8 Update 221
/ 7 Update 231 or later. If necessary, remove any affected versions.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"agent", value:"unix");


  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sun_java_jre_installed_unix.nasl");
  script_require_keys("Host/Java/JRE/Installed");

  exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');

# Check each installed JRE.
installs = get_kb_list_or_exit('Host/Java/JRE/Unmanaged/*');

info = '';
vuln = 0;
vuln2 = 0;
installed_versions = '';
granular = '';

foreach install (list_uniq(keys(installs)))
{
  ver = install - 'Host/Java/JRE/Unmanaged/';
  if (ver !~ "^[0-9.]+") continue;

  installed_versions = installed_versions + ' & ' + ver;

# Fixes : (JDK|JRE) 12 Update 2 / 11 Update 4 / 8 Update 221 / 7 Update 231 
  if (
    ver_compare(minver:'1.7.0', ver:ver, fix:'1.7.0_231', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
    ver_compare(minver:'1.8.0', ver:ver, fix:'1.8.0_221', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
    ver_compare(minver:'1.11.0', ver:ver, fix:'1.11.0_4', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
    ver_compare(minver:'1.12.0', ver:ver, fix:'1.12.0_2', regexes:{0:"_(\d+)"}, strict:FALSE) < 0
  )
  {
    dirs = make_list(get_kb_list(install));
    vuln += max_index(dirs);

    foreach dir (dirs)
      info += '\n  Path              : ' + dir;

    info += '\n  Installed version : ' + ver;
    info += '\n  Fixed version     : 1.7.0_231 / 1.8.0_221 / 1.11.0_4 / 1.12.0_2\n';
  }
  else if (ver =~ "^[\d\.]+$")
  {
    dirs = make_list(get_kb_list(install));
    foreach dir (dirs)
      granular += 'The Oracle Java version '+ver+' at '+dir+' is not granular enough to make a determination.'+'\n';
  }
  else
  {
    dirs = make_list(get_kb_list(install));
    vuln2 += max_index(dirs);
  }

}

# Report if any were found to be vulnerable.
if (info)
{
  if (vuln > 1) s = 's of Java are';
  else s = ' of Java is';

  report =
    '\n' +
    'The following vulnerable instance'+s+' installed on the\n' +
    'remote host :\n' +
    info;
  security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
  if (granular) exit(0, granular);
}
else
{
  if (granular) exit(0, granular);

  installed_versions = substr(installed_versions, 3);
  if (vuln2 > 1)
    exit(0, 'The Java '+installed_versions+' installations on the remote host are not affected.');
  else
    audit(AUDIT_INST_VER_NOT_VULN, 'Java', installed_versions);
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(133996);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");

  script_cve_id(
    "CVE-2019-6129"
  );

  script_name(english:"EulerOS 2.0 SP8 : libpng (EulerOS-SA-2020-1162)");
  script_summary(english:"Checks the rpm output for the updated package.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to the version of the libpng packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerability :

  - ** DISPUTED ** png_create_info_struct in png.c in
    libpng 1.6.36 has a memory leak, as demonstrated by
    pngcp. NOTE: a third party has stated 'I don't think it
    is libpng's job to free this buffer.'(CVE-2019-6129)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1162
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b9281a8");
  script_set_attribute(attribute:"solution", value:
"Update the affected libpng package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libpng");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libpng-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["libpng-1.6.34-6.h3.eulerosv2r8",
        "libpng-devel-1.6.34-6.h3.eulerosv2r8"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng");
}