Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : musl vulnerabilities (USN-5990-1)

critical Nessus Plugin ID 173730

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5990-1 advisory.

- musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code. (CVE-2019-14697)

- In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow). (CVE-2020-28928)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected musl, musl-dev and / or musl-tools packages.

See Also

https://ubuntu.com/security/notices/USN-5990-1

Plugin Details

Severity : Critical

ID : 173730

File Name : ubuntu_USN-5990-1.nasl

Version : 1.0

Type : local

Agent : unix

Published : 3/31/2023

Updated : 3/31/2023

Supported Sensors : Agentless Assessment , Frictionless Assessment Agent , Frictionless Assessment AWS , Frictionless Assessment Azure , Nessus Agent

Risk Information

VPR

Risk Factor : Medium

Score : 6.7

CVSS v2

Risk Factor : High

Base Score : 7.5

Temporal Score : 5.5

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector : E:U/RL:OF/RC:C

CVSS Score Source : CVE-2019-14697

CVSS v3

Risk Factor : Critical

Base Score : 9.8

Temporal Score : 8.5

Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector : E:U/RL:O/RC:C

Vulnerability Information

CPE : cpe:/o:canonical:ubuntu_linux:16.04:-:esm , cpe:/o:canonical:ubuntu_linux:18.04:-:esm , cpe:/o:canonical:ubuntu_linux:20.04:-:esm , p-cpe:/a:canonical:ubuntu_linux:musl , p-cpe:/a:canonical:ubuntu_linux:musl-dev , p-cpe:/a:canonical:ubuntu_linux:musl-tools

Required KB Items : Host/cpu , Host/Ubuntu , Host/Ubuntu/release , Host/Debian/dpkg-l

Exploit Ease : No known exploits are available

Patch Publication Date : 3/31/2023

Vulnerability Publication Date : 8/6/2019

Reference Information

CVE : CVE-2019-14697 , CVE-2020-28928

USN : 5990-1