{"id": "FEDORA:E5D9F6042388", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 29 Update: djvulibre-3.5.27-14.fc29", "description": "DjVu is a web-centric format and software platform for distributing documen ts and images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for distributing scanned documents, digital documents, or high-resolution pictu res. DjVu content downloads faster, displays and renders faster, looks nicer on a screen, and consume less client resources than competing formats. DjVu imag es display instantly and can be smoothly zoomed and panned with no lengthy re-rendering. DjVuLibre is a free (GPL'ed) implementation of DjVu, including viewers, decoders, simple encoders, and utilities. The browser plugin is in its own separate sub-package. ", "published": "2019-11-18T01:52:33", "modified": "2019-11-18T01:52:33", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2019-15142", "CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15145"], "lastseen": "2020-12-21T08:17:55", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852918", "OPENVAS:1361412562310877033", "OPENVAS:1361412562310877237", "OPENVAS:1361412562310844247", "OPENVAS:1361412562310877019", "OPENVAS:1361412562310877326", "OPENVAS:1361412562310891902", "OPENVAS:1361412562310877024", "OPENVAS:1361412562310852721"]}, {"type": "gentoo", "idList": ["GLSA-202007-36"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2217-1", "OPENSUSE-SU-2019:2219-1"]}, {"type": "nessus", "idList": ["SUSE_SU-2019-2452-1.NASL", "FEDORA_2019-7CA378F076.NASL", "OPENSUSE-2019-2219.NASL", "GENTOO_GLSA-202007-36.NASL", "OPENSUSE-2019-2217.NASL", "DEBIAN_DLA-1902.NASL", "SUSE_SU-2019-2444-1.NASL", "FEDORA_2019-67FF247AEA.NASL", "FEDORA_2019-B217F90C2A.NASL", "FEDORA_2019-F923712BAB.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1902-1:05806"]}, {"type": "fedora", "idList": ["FEDORA:1012E60FC97D", "FEDORA:959596082D89", "FEDORA:A928E604D9D3", "FEDORA:C769B606D3C0"]}, {"type": "cve", "idList": ["CVE-2019-15143", "CVE-2019-15145", "CVE-2019-15142", "CVE-2019-15144"]}, {"type": "ubuntu", "idList": ["USN-4198-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:8A8925C48F7E405F9D6C927A2B352D79"]}, {"type": "attackerkb", "idList": ["AKB:0C951592-CB7F-4672-8788-014F4110580E"]}], "modified": "2020-12-21T08:17:55", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2020-12-21T08:17:55", "rev": 2}, "vulnersScore": 5.7}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "29", "arch": "any", "packageName": "djvulibre", "packageVersion": "3.5.27", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15142", "CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15145"], "description": "DjVu is a web-centric format and software platform for distributing documen ts and images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for distributing scanned documents, digital documents, or high-resolution pictu res. DjVu content downloads faster, displays and renders faster, looks nicer on a screen, and consume less client resources than competing formats. DjVu imag es display instantly and can be smoothly zoomed and panned with no lengthy re-rendering. DjVuLibre is a free (GPL'ed) implementation of DjVu, including viewers, decoders, simple encoders, and utilities. The browser plugin is in its own separate sub-package. ", "modified": "2019-11-17T01:32:14", "published": "2019-11-17T01:32:14", "id": "FEDORA:959596082D89", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: djvulibre-3.5.27-16.fc31", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15142", "CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15145"], "description": "DjVu is a web-centric format and software platform for distributing documen ts and images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for distributing scanned documents, digital documents, or high-resolution pictu res. DjVu content downloads faster, displays and renders faster, looks nicer on a screen, and consume less client resources than competing formats. DjVu imag es display instantly and can be smoothly zoomed and panned with no lengthy re-rendering. DjVuLibre is a free (GPL'ed) implementation of DjVu, including viewers, decoders, simple encoders, and utilities. The browser plugin is in its own separate sub-package. ", "modified": "2019-11-18T01:19:13", "published": "2019-11-18T01:19:13", "id": "FEDORA:A928E604D9D3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: djvulibre-3.5.27-15.fc30", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15142", "CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15145", "CVE-2019-18804"], "description": "MinGW Windows djvulibre library. ", "modified": "2019-11-22T00:48:19", "published": "2019-11-22T00:48:19", "id": "FEDORA:C769B606D3C0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: mingw-djvulibre-3.5.27-7.fc31", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15142", "CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15145", "CVE-2019-18804"], "description": "MinGW Windows djvulibre library. ", "modified": "2019-11-22T01:23:07", "published": "2019-11-22T01:23:07", "id": "FEDORA:1012E60FC97D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: mingw-djvulibre-3.5.27-7.fc30", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-12T09:41:19", "description": "Hongxu Chen found several issues in djvulibre, a library and set of\ntools to handle images in the DjVu format.\n\nThe issues are a heap-buffer-overflow, a stack-overflow, an infinite\nloop and an invalid read when working with crafted files as input.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n3.5.25.4-4+deb8u1.\n\nWe recommend that you upgrade your djvulibre packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 15, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-08-30T00:00:00", "title": "Debian DLA-1902-1 : djvulibre security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2019-08-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:djview", "p-cpe:/a:debian:debian_linux:libdjvulibre21", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libdjvulibre-dev", "p-cpe:/a:debian:debian_linux:djvulibre-dbg", "p-cpe:/a:debian:debian_linux:libdjvulibre-text", "p-cpe:/a:debian:debian_linux:djvulibre-desktop", "p-cpe:/a:debian:debian_linux:djvulibre-bin", "p-cpe:/a:debian:debian_linux:djvuserve", "p-cpe:/a:debian:debian_linux:djview3"], "id": "DEBIAN_DLA-1902.NASL", "href": "https://www.tenable.com/plugins/nessus/128394", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1902-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128394);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n\n script_name(english:\"Debian DLA-1902-1 : djvulibre security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hongxu Chen found several issues in djvulibre, a library and set of\ntools to handle images in the DjVu format.\n\nThe issues are a heap-buffer-overflow, a stack-overflow, an infinite\nloop and an invalid read when working with crafted files as input.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n3.5.25.4-4+deb8u1.\n\nWe recommend that you upgrade your djvulibre packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00036.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/djvulibre\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:djview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:djview3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:djvulibre-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:djvulibre-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:djvulibre-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:djvuserve\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libdjvulibre-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libdjvulibre-text\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libdjvulibre21\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"djview\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"djview3\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"djvulibre-bin\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"djvulibre-dbg\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"djvulibre-desktop\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"djvuserve\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libdjvulibre-dev\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libdjvulibre-text\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libdjvulibre21\", reference:\"3.5.25.4-4+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-01T02:32:49", "description": "Security fix for CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and\nCVE-2019-15145.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 16, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-11-18T00:00:00", "title": "Fedora 31 : djvulibre (2019-67ff247aea)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:djvulibre", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-67FF247AEA.NASL", "href": "https://www.tenable.com/plugins/nessus/131093", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-67ff247aea.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131093);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/09\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_xref(name:\"FEDORA\", value:\"2019-67ff247aea\");\n\n script_name(english:\"Fedora 31 : djvulibre (2019-67ff247aea)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and\nCVE-2019-15145.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-67ff247aea\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected djvulibre package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:djvulibre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"djvulibre-3.5.27-16.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"djvulibre\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-01T02:33:18", "description": "Security fix for CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and\nCVE-2019-15145.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 16, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-11-18T00:00:00", "title": "Fedora 29 : djvulibre (2019-7ca378f076)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:djvulibre"], "id": "FEDORA_2019-7CA378F076.NASL", "href": "https://www.tenable.com/plugins/nessus/131097", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-7ca378f076.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131097);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_xref(name:\"FEDORA\", value:\"2019-7ca378f076\");\n\n script_name(english:\"Fedora 29 : djvulibre (2019-7ca378f076)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and\nCVE-2019-15145.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ca378f076\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected djvulibre package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:djvulibre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"djvulibre-3.5.27-14.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"djvulibre\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-14T06:20:55", "description": "This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n\nCVE-2019-15143: Fixed resource exhaustion caused by corrupted image\nfiles (bsc#1146569).\n\nCVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\nfiles (bsc#1146571).\n\nCVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\nfiles (bsc#1146572).\n\nFixed segfault when libtiff encounters corrupted TIFF (upstream issue\n#295).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-09-25T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : djvulibre (SUSE-SU-2019:2452-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2019-09-25T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdjvulibre21", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:djvulibre-debugsource", "p-cpe:/a:novell:suse_linux:djvulibre-debuginfo", "p-cpe:/a:novell:suse_linux:libdjvulibre21-debuginfo", "p-cpe:/a:novell:suse_linux:libdjvulibre-devel", "p-cpe:/a:novell:suse_linux:djvulibre", "p-cpe:/a:novell:suse_linux:djvulibre-doc"], "id": "SUSE_SU-2019-2452-1.NASL", "href": "https://www.tenable.com/plugins/nessus/129348", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2452-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129348);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : djvulibre (SUSE-SU-2019:2452-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n\nCVE-2019-15143: Fixed resource exhaustion caused by corrupted image\nfiles (bsc#1146569).\n\nCVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\nfiles (bsc#1146571).\n\nCVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\nfiles (bsc#1146572).\n\nFixed segfault when libtiff encounters corrupted TIFF (upstream issue\n#295).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15142/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15143/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15144/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15145/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192452-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b64bfbf8\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Packagehub Subpackages 15:zypper in\n-t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2019-2452=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2452=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-2452=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15-SP1:zypper in\n-t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2452=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15:zypper in -t\npatch SUSE-SLE-Module-Desktop-Applications-15-2019-2452=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:djvulibre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:djvulibre-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:djvulibre-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:djvulibre-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdjvulibre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdjvulibre21\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdjvulibre21-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"djvulibre-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"djvulibre-debuginfo-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"djvulibre-debugsource-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"djvulibre-doc-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libdjvulibre-devel-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libdjvulibre21-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libdjvulibre21-debuginfo-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"djvulibre-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"djvulibre-debuginfo-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"djvulibre-debugsource-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"djvulibre-doc-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libdjvulibre-devel-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libdjvulibre21-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libdjvulibre21-debuginfo-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"djvulibre-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"djvulibre-debuginfo-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"djvulibre-debugsource-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"djvulibre-doc-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libdjvulibre-devel-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libdjvulibre21-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libdjvulibre21-debuginfo-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"djvulibre-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"djvulibre-debuginfo-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"djvulibre-debugsource-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"djvulibre-doc-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libdjvulibre-devel-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libdjvulibre21-3.5.27-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libdjvulibre21-debuginfo-3.5.27-3.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"djvulibre\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-31T02:30:41", "description": "The remote host is affected by the vulnerability described in GLSA-202007-36\n(DjVu: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in DjVu. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 2, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-07-27T00:00:00", "title": "GLSA-202007-36 : DjVu: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2020-07-27T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:djvu", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202007-36.NASL", "href": "https://www.tenable.com/plugins/nessus/138959", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202007-36.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138959);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/30\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_xref(name:\"GLSA\", value:\"202007-36\");\n\n script_name(english:\"GLSA-202007-36 : DjVu: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202007-36\n(DjVu: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in DjVu. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202007-36\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All DjVu users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/djvu-3.5.27-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:djvu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-text/djvu\", unaffected:make_list(\"ge 3.5.27-r2\"), vulnerable:make_list(\"lt 3.5.27-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"DjVu\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-01T02:36:33", "description": "Security fix for CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and\nCVE-2019-15145.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 16, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-11-18T00:00:00", "title": "Fedora 30 : djvulibre (2019-b217f90c2a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:30", "p-cpe:/a:fedoraproject:fedora:djvulibre"], "id": "FEDORA_2019-B217F90C2A.NASL", "href": "https://www.tenable.com/plugins/nessus/131099", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-b217f90c2a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131099);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/09\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_xref(name:\"FEDORA\", value:\"2019-b217f90c2a\");\n\n script_name(english:\"Fedora 30 : djvulibre (2019-b217f90c2a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and\nCVE-2019-15145.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-b217f90c2a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected djvulibre package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:djvulibre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"djvulibre-3.5.27-15.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"djvulibre\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-01T04:43:43", "description": "This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-15142: Fixed heap-based buffer over-read\n (bsc#1146702).\n\n - CVE-2019-15143: Fixed resource exhaustion caused by\n corrupted image files (bsc#1146569).\n\n - CVE-2019-15144: Fixed denial-of-service caused by\n crafted PBM image files (bsc#1146571).\n\n - CVE-2019-15145: Fixed out-of-bounds read caused by\n corrupted JB2 image files (bsc#1146572).\n\n - Fixed segfault when libtiff encounters corrupted TIFF\n (upstream issue #295).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-10-01T00:00:00", "title": "openSUSE Security Update : djvulibre (openSUSE-2019-2219)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libdjvulibre-devel", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:libdjvulibre21-debuginfo", "p-cpe:/a:novell:opensuse:djvulibre-debuginfo", "p-cpe:/a:novell:opensuse:libdjvulibre21", "p-cpe:/a:novell:opensuse:djvulibre", "p-cpe:/a:novell:opensuse:djvulibre-debugsource"], "id": "OPENSUSE-2019-2219.NASL", "href": "https://www.tenable.com/plugins/nessus/129481", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2219.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129481);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n\n script_name(english:\"openSUSE Security Update : djvulibre (openSUSE-2019-2219)\");\n script_summary(english:\"Check for the openSUSE-2019-2219 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-15142: Fixed heap-based buffer over-read\n (bsc#1146702).\n\n - CVE-2019-15143: Fixed resource exhaustion caused by\n corrupted image files (bsc#1146569).\n\n - CVE-2019-15144: Fixed denial-of-service caused by\n crafted PBM image files (bsc#1146571).\n\n - CVE-2019-15145: Fixed out-of-bounds read caused by\n corrupted JB2 image files (bsc#1146572).\n\n - Fixed segfault when libtiff encounters corrupted TIFF\n (upstream issue #295).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146702\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected djvulibre packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:djvulibre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:djvulibre-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:djvulibre-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdjvulibre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdjvulibre21\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdjvulibre21-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"djvulibre-3.5.27-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"djvulibre-debuginfo-3.5.27-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"djvulibre-debugsource-3.5.27-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdjvulibre-devel-3.5.27-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdjvulibre21-3.5.27-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdjvulibre21-debuginfo-3.5.27-lp151.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"djvulibre / djvulibre-debuginfo / djvulibre-debugsource / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-01T06:54:58", "description": "This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n\nCVE-2019-15143: Fixed resource exhaustion caused by corrupted image\nfiles (bsc#1146569).\n\nCVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\nfiles (bsc#1146571).\n\nCVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\nfiles (bsc#1146572).\n\nFixed segfault when libtiff encounters corrupted TIFF (upstream issue\n#295).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-09-25T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : djvulibre (SUSE-SU-2019:2444-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdjvulibre21", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:djvulibre-debugsource", "p-cpe:/a:novell:suse_linux:djvulibre-debuginfo", "p-cpe:/a:novell:suse_linux:libdjvulibre21-debuginfo"], "id": "SUSE_SU-2019-2444-1.NASL", "href": "https://www.tenable.com/plugins/nessus/129347", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2444-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129347);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : djvulibre (SUSE-SU-2019:2444-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n\nCVE-2019-15143: Fixed resource exhaustion caused by corrupted image\nfiles (bsc#1146569).\n\nCVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\nfiles (bsc#1146571).\n\nCVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\nfiles (bsc#1146572).\n\nFixed segfault when libtiff encounters corrupted TIFF (upstream issue\n#295).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15142/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15143/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15144/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15145/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192444-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0dc22aed\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t\npatch SUSE-SLE-SDK-12-SP4-2019-2444=1\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2019-2444=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2019-2444=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:djvulibre-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:djvulibre-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdjvulibre21\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdjvulibre21-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"djvulibre-debuginfo-3.5.25.3-5.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"djvulibre-debugsource-3.5.25.3-5.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdjvulibre21-3.5.25.3-5.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdjvulibre21-debuginfo-3.5.25.3-5.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"djvulibre-debuginfo-3.5.25.3-5.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"djvulibre-debugsource-3.5.25.3-5.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libdjvulibre21-3.5.25.3-5.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libdjvulibre21-debuginfo-3.5.25.3-5.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"djvulibre\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T12:48:32", "description": "This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-15142: Fixed heap-based buffer over-read\n (bsc#1146702).\n\n - CVE-2019-15143: Fixed resource exhaustion caused by\n corrupted image files (bsc#1146569).\n\n - CVE-2019-15144: Fixed denial-of-service caused by\n crafted PBM image files (bsc#1146571).\n\n - CVE-2019-15145: Fixed out-of-bounds read caused by\n corrupted JB2 image files (bsc#1146572).\n\n - Fixed segfault when libtiff encounters corrupted TIFF\n (upstream issue #295).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 15, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-09-30T00:00:00", "title": "openSUSE Security Update : djvulibre (openSUSE-2019-2217)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "modified": "2019-09-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libdjvulibre-devel", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:libdjvulibre21-debuginfo", "p-cpe:/a:novell:opensuse:djvulibre-debuginfo", "p-cpe:/a:novell:opensuse:libdjvulibre21", "p-cpe:/a:novell:opensuse:djvulibre", "p-cpe:/a:novell:opensuse:djvulibre-debugsource"], "id": "OPENSUSE-2019-2217.NASL", "href": "https://www.tenable.com/plugins/nessus/129464", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2217.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129464);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n\n script_name(english:\"openSUSE Security Update : djvulibre (openSUSE-2019-2217)\");\n script_summary(english:\"Check for the openSUSE-2019-2217 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for djvulibre fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2019-15142: Fixed heap-based buffer over-read\n (bsc#1146702).\n\n - CVE-2019-15143: Fixed resource exhaustion caused by\n corrupted image files (bsc#1146569).\n\n - CVE-2019-15144: Fixed denial-of-service caused by\n crafted PBM image files (bsc#1146571).\n\n - CVE-2019-15145: Fixed out-of-bounds read caused by\n corrupted JB2 image files (bsc#1146572).\n\n - Fixed segfault when libtiff encounters corrupted TIFF\n (upstream issue #295).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146702\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected djvulibre packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:djvulibre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:djvulibre-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:djvulibre-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdjvulibre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdjvulibre21\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdjvulibre21-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"djvulibre-3.5.27-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"djvulibre-debuginfo-3.5.27-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"djvulibre-debugsource-3.5.27-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libdjvulibre-devel-3.5.27-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libdjvulibre21-3.5.27-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libdjvulibre21-debuginfo-3.5.27-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"djvulibre / djvulibre-debuginfo / djvulibre-debugsource / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-18T11:02:30", "description": "It was discovered that DjVuLibre incorrectly handled certain memory\noperations. If a user or automated system were tricked into processing\na specially crafted DjVu file, a remote attacker could cause\napplications to hang or crash, resulting in a denial of service, or\npossibly execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-11-22T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : DjVuLibre vulnerabilities (USN-4198-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145", "CVE-2019-18804"], "modified": "2019-11-22T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libdjvulibre21", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.04", "cpe:/o:canonical:ubuntu_linux:19.10"], "id": "UBUNTU_USN-4198-1.NASL", "href": "https://www.tenable.com/plugins/nessus/131226", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4198-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131226);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\", \"CVE-2019-18804\");\n script_xref(name:\"USN\", value:\"4198-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : DjVuLibre vulnerabilities (USN-4198-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that DjVuLibre incorrectly handled certain memory\noperations. If a user or automated system were tricked into processing\na specially crafted DjVu file, a remote attacker could cause\napplications to hang or crash, resulting in a denial of service, or\npossibly execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4198-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected libdjvulibre21 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libdjvulibre21\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.04|19\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.04 / 19.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libdjvulibre21\", pkgver:\"3.5.27.1-5ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libdjvulibre21\", pkgver:\"3.5.27.1-8ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"libdjvulibre21\", pkgver:\"3.5.27.1-10ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"libdjvulibre21\", pkgver:\"3.5.27.1-13ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libdjvulibre21\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2019-12-04T15:43:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "The remote host is missing an update for the ", "modified": "2019-12-04T00:00:00", "published": "2019-11-21T00:00:00", "id": "OPENVAS:1361412562310877019", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877019", "type": "openvas", "title": "Fedora Update for djvulibre FEDORA-2019-b217f90c2a", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877019\");\n script_version(\"2019-12-04T09:04:42+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-04 09:04:42 +0000 (Wed, 04 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-21 03:39:20 +0000 (Thu, 21 Nov 2019)\");\n script_name(\"Fedora Update for djvulibre FEDORA-2019-b217f90c2a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-b217f90c2a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RYZTGKWY3NAKMIMTFYGN4ZO5XEQWPYRL\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'djvulibre'\n package(s) announced via the FEDORA-2019-b217f90c2a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"DjVu is a web-centric format and software platform for distributing documents\nand images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for\ndistributing scanned documents, digital documents, or high-resolution pictures.\nDjVu content downloads faster, displays and renders faster, looks nicer on a\nscreen, and consume less client resources than competing formats. DjVu images\ndisplay instantly and can be smoothly zoomed and panned with no lengthy\nre-rendering.\n\nDjVuLibre is a free (GPL&#39, ed) implementation of DjVu, including viewers,\ndecoders, simple encoders, and utilities. The browser plugin is in its own\nseparate sub-package.\");\n\n script_tag(name:\"affected\", value:\"'djvulibre' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre\", rpm:\"djvulibre~3.5.27~15.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-31T16:29:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310852918", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852918", "type": "openvas", "title": "openSUSE: Security Advisory for djvulibre (openSUSE-SU-2019:2219-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852918\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 09:45:47 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"openSUSE: Security Advisory for djvulibre (openSUSE-SU-2019:2219-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2219-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00087.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'djvulibre'\n package(s) announced via the openSUSE-SU-2019:2219-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for djvulibre fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n\n - CVE-2019-15143: Fixed resource exhaustion caused by corrupted image\n files (bsc#1146569).\n\n - CVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\n files (bsc#1146571).\n\n - CVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\n files (bsc#1146572).\n\n - Fixed segfault when libtiff encounters corrupted TIFF (upstream issue\n #295).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2219=1\");\n\n script_tag(name:\"affected\", value:\"'djvulibre' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre\", rpm:\"djvulibre~3.5.27~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre-debuginfo\", rpm:\"djvulibre-debuginfo~3.5.27~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre-debugsource\", rpm:\"djvulibre-debugsource~3.5.27~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre-doc\", rpm:\"djvulibre-doc~3.5.27~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdjvulibre-devel\", rpm:\"libdjvulibre-devel~3.5.27~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdjvulibre21\", rpm:\"libdjvulibre21~3.5.27~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdjvulibre21-debuginfo\", rpm:\"libdjvulibre21-debuginfo~3.5.27~lp151.3.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-31T16:54:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-10-01T00:00:00", "id": "OPENVAS:1361412562310852721", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852721", "type": "openvas", "title": "openSUSE: Security Advisory for djvulibre (openSUSE-SU-2019:2217-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852721\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-01 02:01:06 +0000 (Tue, 01 Oct 2019)\");\n script_name(\"openSUSE: Security Advisory for djvulibre (openSUSE-SU-2019:2217-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2217-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00086.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'djvulibre'\n package(s) announced via the openSUSE-SU-2019:2217-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for djvulibre fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n\n - CVE-2019-15143: Fixed resource exhaustion caused by corrupted image\n files (bsc#1146569).\n\n - CVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\n files (bsc#1146571).\n\n - CVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\n files (bsc#1146572).\n\n - Fixed segfault when libtiff encounters corrupted TIFF (upstream issue\n #295).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2217=1\");\n\n script_tag(name:\"affected\", value:\"'djvulibre' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre\", rpm:\"djvulibre~3.5.27~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre-debuginfo\", rpm:\"djvulibre-debuginfo~3.5.27~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre-debugsource\", rpm:\"djvulibre-debugsource~3.5.27~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre-doc\", rpm:\"djvulibre-doc~3.5.27~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdjvulibre-devel\", rpm:\"libdjvulibre-devel~3.5.27~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdjvulibre21\", rpm:\"libdjvulibre21~3.5.27~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libdjvulibre21-debuginfo\", rpm:\"libdjvulibre21-debuginfo~3.5.27~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-04T15:40:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "The remote host is missing an update for the ", "modified": "2019-12-04T00:00:00", "published": "2019-11-21T00:00:00", "id": "OPENVAS:1361412562310877024", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877024", "type": "openvas", "title": "Fedora Update for djvulibre FEDORA-2019-7ca378f076", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877024\");\n script_version(\"2019-12-04T09:04:42+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-04 09:04:42 +0000 (Wed, 04 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-21 03:39:32 +0000 (Thu, 21 Nov 2019)\");\n script_name(\"Fedora Update for djvulibre FEDORA-2019-7ca378f076\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-7ca378f076\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M7F7544WASYMOTFDR2WUEOQLN3ZEXNU4\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'djvulibre'\n package(s) announced via the FEDORA-2019-7ca378f076 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"DjVu is a web-centric format and software platform for distributing documents\nand images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for\ndistributing scanned documents, digital documents, or high-resolution pictures.\nDjVu content downloads faster, displays and renders faster, looks nicer on a\nscreen, and consume less client resources than competing formats. DjVu images\ndisplay instantly and can be smoothly zoomed and panned with no lengthy\nre-rendering.\n\nDjVuLibre is a free (GPL&#39, ed) implementation of DjVu, including viewers,\ndecoders, simple encoders, and utilities. The browser plugin is in its own\nseparate sub-package.\");\n\n script_tag(name:\"affected\", value:\"'djvulibre' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre\", rpm:\"djvulibre~3.5.27~14.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-14T14:48:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "The remote host is missing an update for the ", "modified": "2020-01-13T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310877326", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877326", "type": "openvas", "title": "Fedora Update for djvulibre FEDORA-2019-67ff247aea", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877326\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:38:09 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for djvulibre FEDORA-2019-67ff247aea\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-67ff247aea\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPMG3VY33XGMIKE6QDYIUVS6A7GNTHTK\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'djvulibre'\n package(s) announced via the FEDORA-2019-67ff247aea advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"DjVu is a web-centric format and software platform for distributing documents\nand images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for\ndistributing scanned documents, digital documents, or high-resolution pictures.\nDjVu content downloads faster, displays and renders faster, looks nicer on a\nscreen, and consume less client resources than competing formats. DjVu images\ndisplay instantly and can be smoothly zoomed and panned with no lengthy\nre-rendering.\n\nDjVuLibre is a free (GPL&#39, ed) implementation of DjVu, including viewers,\ndecoders, simple encoders, and utilities. The browser plugin is in its own\nseparate sub-package.\");\n\n script_tag(name:\"affected\", value:\"'djvulibre' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"djvulibre\", rpm:\"djvulibre~3.5.27~16.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-29T19:29:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-08-30T00:00:00", "id": "OPENVAS:1361412562310891902", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891902", "type": "openvas", "title": "Debian LTS: Security Advisory for djvulibre (DLA-1902-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891902\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-30 02:00:11 +0000 (Fri, 30 Aug 2019)\");\n script_name(\"Debian LTS: Security Advisory for djvulibre (DLA-1902-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00036.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1902-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'djvulibre'\n package(s) announced via the DLA-1902-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Hongxu Chen found several issues in djvulibre, a library and set of tools\nto handle images in the DjVu format.\n\nThe issues are a heap-buffer-overflow, a stack-overflow, an infinite loop\nand an invalid read when working with crafted files as input.\");\n\n script_tag(name:\"affected\", value:\"'djvulibre' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.5.25.4-4+deb8u1.\n\nWe recommend that you upgrade your djvulibre packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"djview\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"djview3\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"djvulibre-bin\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"djvulibre-dbg\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"djvulibre-desktop\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"djvuserve\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libdjvulibre-dev\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libdjvulibre-text\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libdjvulibre21\", ver:\"3.5.25.4-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-04T15:42:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145", "CVE-2019-18804"], "description": "The remote host is missing an update for the ", "modified": "2019-12-04T00:00:00", "published": "2019-11-22T00:00:00", "id": "OPENVAS:1361412562310877033", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877033", "type": "openvas", "title": "Fedora Update for mingw-djvulibre FEDORA-2019-f923712bab", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877033\");\n script_version(\"2019-12-04T09:04:42+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\", \"CVE-2019-18804\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-04 09:04:42 +0000 (Wed, 04 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-22 03:27:29 +0000 (Fri, 22 Nov 2019)\");\n script_name(\"Fedora Update for mingw-djvulibre FEDORA-2019-f923712bab\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-f923712bab\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUEME45HVGTMDOYODAZYQOGWSZ2CEFWZ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-djvulibre'\n package(s) announced via the FEDORA-2019-f923712bab advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MinGW Windows djvulibre library.\");\n\n script_tag(name:\"affected\", value:\"'mingw-djvulibre' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"mingw-djvulibre\", rpm:\"mingw-djvulibre~3.5.27~7.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-13T14:48:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145", "CVE-2019-18804"], "description": "The remote host is missing an update for the ", "modified": "2019-12-12T00:00:00", "published": "2019-11-22T00:00:00", "id": "OPENVAS:1361412562310844247", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844247", "type": "openvas", "title": "Ubuntu Update for djvulibre USN-4198-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844247\");\n script_version(\"2019-12-12T11:35:23+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\", \"CVE-2019-18804\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-12 11:35:23 +0000 (Thu, 12 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-22 03:00:46 +0000 (Fri, 22 Nov 2019)\");\n script_name(\"Ubuntu Update for djvulibre USN-4198-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.10|UBUNTU19\\.04|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4198-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-November/005217.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'djvulibre'\n package(s) announced via the USN-4198-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that DjVuLibre incorrectly handled certain memory\noperations. If a user or automated system were tricked into processing a\nspecially crafted DjVu file, a remote attacker could cause applications\nto hang or crash, resulting in a denial of service, or possibly execute\narbitrary code.\");\n\n script_tag(name:\"affected\", value:\"'djvulibre' package(s) on Ubuntu 19.10, Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libdjvulibre21\", ver:\"3.5.27.1-8ubuntu0.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libdjvulibre21\", ver:\"3.5.27.1-13ubuntu0.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libdjvulibre21\", ver:\"3.5.27.1-10ubuntu0.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libdjvulibre21\", ver:\"3.5.27.1-5ubuntu0.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-14T14:48:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145", "CVE-2019-18804"], "description": "The remote host is missing an update for the ", "modified": "2020-01-13T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310877237", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877237", "type": "openvas", "title": "Fedora Update for mingw-djvulibre FEDORA-2019-6bc8be9d84", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877237\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-15142\", \"CVE-2019-15143\", \"CVE-2019-15144\", \"CVE-2019-15145\", \"CVE-2019-18804\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:33:27 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for mingw-djvulibre FEDORA-2019-6bc8be9d84\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-6bc8be9d84\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JO65AWU7LEWNF6DDCZPRFTR2ZPP5XK6L\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-djvulibre'\n package(s) announced via the FEDORA-2019-6bc8be9d84 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MinGW Windows djvulibre library.\");\n\n script_tag(name:\"affected\", value:\"'mingw-djvulibre' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"mingw-djvulibre\", rpm:\"mingw-djvulibre~3.5.27~7.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2019-09-30T14:30:45", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "This update for djvulibre fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n - CVE-2019-15143: Fixed resource exhaustion caused by corrupted image\n files (bsc#1146569).\n - CVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\n files (bsc#1146571).\n - CVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\n files (bsc#1146572).\n - Fixed segfault when libtiff encounters corrupted TIFF (upstream issue\n #295).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-09-30T12:11:19", "published": "2019-09-30T12:11:19", "id": "OPENSUSE-SU-2019:2217-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00086.html", "title": "Security update for djvulibre (moderate)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-09-30T22:50:59", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "This update for djvulibre fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).\n - CVE-2019-15143: Fixed resource exhaustion caused by corrupted image\n files (bsc#1146569).\n - CVE-2019-15144: Fixed denial-of-service caused by crafted PBM image\n files (bsc#1146571).\n - CVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image\n files (bsc#1146572).\n - Fixed segfault when libtiff encounters corrupted TIFF (upstream issue\n #295).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-09-30T21:13:05", "published": "2019-09-30T21:13:05", "id": "OPENSUSE-SU-2019:2219-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00087.html", "title": "Security update for djvulibre (moderate)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2020-08-12T00:47:21", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "Package : djvulibre\nVersion : 3.5.25.4-4+deb8u1\nCVE ID : CVE-2019-15142 CVE-2019-15143 CVE-2019-15144\n CVE-2019-15145\n\n\nHongxu Chen found several issues in djvulibre, a library and set of tools\nto handle images in the DjVu format.\n\nThe issues are a heap-buffer-overflow, a stack-overflow, an infinite loop\nand an invalid read when working with crafted files as input.\n\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n3.5.25.4-4+deb8u1.\n\nWe recommend that you upgrade your djvulibre packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 5, "modified": "2019-08-29T20:35:29", "published": "2019-08-29T20:35:29", "id": "DEBIAN:DLA-1902-1:05806", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201908/msg00036.html", "title": "[SECURITY] [DLA 1902-1] djvulibre security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "gentoo": [{"lastseen": "2020-07-27T05:34:56", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145"], "description": "### Background\n\nDjVu is a web-centric format and software platform for distributing documents and images. \n\n### Description\n\nMultiple vulnerabilities have been discovered in DjVu. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll DjVu users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/djvu-3.5.27-r2\"", "edition": 1, "modified": "2020-07-27T00:00:00", "published": "2020-07-27T00:00:00", "id": "GLSA-202007-36", "href": "https://security.gentoo.org/glsa/202007-36", "title": "DjVu: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2021-02-02T07:12:52", "description": "In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h.", "edition": 12, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-08-18T19:15:00", "title": "CVE-2019-15144", "type": "cve", "cwe": ["CWE-674"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15144"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:djvulibre_project:djvulibre:3.5.27"], "id": "CVE-2019-15144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15144", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:djvulibre_project:djvulibre:3.5.27:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:52", "description": "DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.", "edition": 11, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-08-18T19:15:00", "title": "CVE-2019-15145", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15145"], "modified": "2020-07-27T03:15:00", "cpe": ["cpe:/a:djvulibre_project:djvulibre:3.5.27"], "id": "CVE-2019-15145", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15145", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:djvulibre_project:djvulibre:3.5.27:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:52", "description": "In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp.", "edition": 12, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-08-18T19:15:00", "title": "CVE-2019-15143", "type": "cve", "cwe": ["CWE-835"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15143"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:djvulibre_project:djvulibre:3.5.27"], "id": "CVE-2019-15143", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15143", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:djvulibre_project:djvulibre:3.5.27:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:52", "description": "In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file.", "edition": 12, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-08-18T19:15:00", "title": "CVE-2019-15142", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15142"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:djvulibre_project:djvulibre:3.5.27"], "id": "CVE-2019-15142", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15142", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:djvulibre_project:djvulibre:3.5.27:*:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-02T11:38:53", "bulletinFamily": "unix", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145", "CVE-2019-18804"], "description": "It was discovered that DjVuLibre incorrectly handled certain memory \noperations. If a user or automated system were tricked into processing a \nspecially crafted DjVu file, a remote attacker could cause applications \nto hang or crash, resulting in a denial of service, or possibly execute \narbitrary code.", "edition": 2, "modified": "2019-11-21T00:00:00", "published": "2019-11-21T00:00:00", "id": "USN-4198-1", "href": "https://ubuntu.com/security/notices/USN-4198-1", "title": "DjVuLibre vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cloudfoundry": [{"lastseen": "2019-12-06T03:52:35", "bulletinFamily": "software", "cvelist": ["CVE-2019-15143", "CVE-2019-15144", "CVE-2019-15142", "CVE-2019-15145", "CVE-2019-18804"], "description": "# \n\n## Severity\n\nLow\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 18.04\n\n## Description\n\nIt was discovered that DjVuLibre incorrectly handled certain memory operations. If a user or automated system were tricked into processing a specially crafted DjVu file, a remote attacker could cause applications to hang or crash, resulting in a denial of service, or possibly execute arbitrary code.\n\nCVEs contained in this USN include: CVE-2019-15142, CVE-2019-15143, CVE-2019-15144, CVE-2019-15145, CVE-2019-18804\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is low unless otherwise noted._\n\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.146.0\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.146.0 or later.\n\n## References\n\n * [USN-4198-1](<https://usn.ubuntu.com/4198-1>)\n * [CVE-2019-15142](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15142>)\n * [CVE-2019-15143](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15143>)\n * [CVE-2019-15144](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15144>)\n * [CVE-2019-15145](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15145>)\n * [CVE-2019-18804](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18804>)\n", "edition": 1, "modified": "2019-12-05T00:00:00", "published": "2019-12-05T00:00:00", "id": "CFOUNDRY:8A8925C48F7E405F9D6C927A2B352D79", "href": "https://www.cloudfoundry.org/blog/usn-4198-1/", "title": "USN-4198-1: DjVuLibre vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "attackerkb": [{"lastseen": "2020-11-18T06:50:31", "bulletinFamily": "info", "cvelist": ["CVE-2019-15142"], "description": "DJVuLibre is an open source library for DjVu, a web-centric format and software platform for distributing documents and images. According to the official site, it is used by many academic, commercial, government, and non-commercial websites around the world.\n\nA vulnerability was found by researcher Hongxu Chen. An out-of-bound read is possible when parsing a DJVU file, resulting a denial-of-service condition.\n\n \n**Recent assessments:** \n \n**wchen-r7** at October 01, 2019 3:48am UTC reported:\n\n# CVE-2019-15142: DjVuLibre UTF8 Out-of-Bound Read Vulnerability\n\n## Description\n\nDJVuLibre is an open source library for DjVu, a web-centric format and software platform for distributing documents and images. According to the official site, it is used by many academic, commercial, government, and non-commercial websites around the world.\n\nA vulnerability was found by researcher Hongxu Chen. An out-of-bound read is possible when parsing a DJVU file, resulting a denial-of-service condition.\n\n## Technical Details\n\nIn `DjVmDir::decode` of file DjVmDir.cpp, we have this block of code:\n \n \n void\n DjVmDir::decode(const GP<ByteStream> &gstr)\n {\n // ... code ...\n // Line 292\n GTArray<char> strings;\n char buffer[1024];\n int length;\n while((length=bs_str.read(buffer, 1024)))\n {\n int strings_size=strings.size();\n strings.resize(strings_size+length-1);\n memcpy((char*) strings+strings_size, buffer, length);\n }\n DEBUG_MSG(\"size of decompressed names block=\" << strings.size() << \"\\n\");\n if (strings[strings.size()-1] != 0)\n {\n int strings_size=strings.size();\n strings.resize(strings_size+1);\n strings[strings_size] = 0;\n }\n \n // Copy names into the files\n const char * ptr=strings;\n for(pos=files_list;pos;++pos)\n {\n GP<File> file=files_list[pos];\n \n file->id=ptr;\n // ... code ...\n }\n \n\nWe start with a custom GTArray named `strings`. It is used to store the user-provided byte stream, which we read up to 1024 bytes. While storing, the GTArray buffer gets resized before the data is copied:\n \n \n GTArray<char> strings;\n char buffer[1024];\n int length;\n while((length=bs_str.read(buffer, 1024)))\n {\n int strings_size=strings.size();\n strings.resize(strings_size+length-1);\n memcpy((char*) strings+strings_size, buffer, length);\n }\n \n\nIf the char array does not end with a null byte, a null byte is inserted (and size readjusted):\n \n \n if (strings[strings.size()-1] != 0)\n {\n int strings_size=strings.size();\n strings.resize(strings_size+1);\n strings[strings_size] = 0;\n }\n \n\nNext, a reference of the GTArray is copied, and then this is used as a file ID according to this line:\n \n \n file->id=ptr;\n \n\nThe `id` member is actually a custom GUTF8String. It overrides the `=` operator, which the implementation can be found here:\n \n \n // Line 2625 in GString.cpp\n GUTF8String& GUTF8String::operator= (const char *str)\n { return init(GStringRep::UTF8::create(str)); }\n \n\nThe implementation for `create()` can be found here:\n \n \n // Line 156 in GString.cpp\n GP<GStringRep>\n GStringRep::UTF8::create(const char *s)\n {\n GStringRep::UTF8 dummy;\n return dummy.strdup(s);\n }\n \n\nThe `strdup` function isn\u2019t exactly the same as the original `strdup` in C/C++, in fact it is custom for UTF8. This is where the problem finally blows up. Although `DjVmDir::decode` is aware that a null byte is necessary at the end of the string, it is just a ASCII type null byte terminator, which is only one byte, but that\u2019s not enough for UTF8. In other words, the null byte terminating routine in `DjVmDir::decode` does not really work. As a result, an off-by-one out-of-bound read condition could occur, which is proven in the AddressSanitizer [bug report](<https://sourceforge.net/p/djvu/bugs/296/>) by Hongxu Chen:\n \n \n ==14708==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000000f1 at pc 0x7fd31456a66e bp 0x7ffc59407e10 sp 0x7ffc594075b8\n READ of size 1 at 0x6040000000f1 thread T0\n #0 0x7fd31456a66d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)\n #1 0x7fd3141a5d5b in GStringRep::strdup(char const*) const /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/GString.cpp:1017\n #2 0x7fd31419f474 in GStringRep::UTF8::create(char const*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/GString.cpp:160\n #3 0x7fd3141b64fd in GUTF8String::operator=(char const*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/GString.cpp:2626\n #4 0x7fd314054dbb in DjVmDir::decode(GP<ByteStream> const&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVmDir.cpp:315\n #5 0x7fd3140c0b54 in display_djvm_dirm /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:172\n #6 0x7fd3140c2a64 in display_chunks /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:335\n #7 0x7fd3140c2b1f in display_chunks /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:342\n #8 0x7fd3140c31f0 in DjVuDumpHelper::dump(GP<ByteStream>) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:361\n #9 0x562f0317dba7 in display(GURL const&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/djvudump.cpp:128\n #10 0x562f0317e35d in main /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/djvudump.cpp:178\n #11 0x7fd3135fbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)\n #12 0x562f0317d909 in _start (/home/hongxu/FOT/djvulibre/djvu-djvulibre-git/install/bin/djvudump+0x3909)\n \n 0x6040000000f1 is located 0 bytes to the right of 33-byte region [0x6040000000d0,0x6040000000f1)\n allocated by thread T0 here:\n #0 0x7fd3145f9458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)\n #1 0x7fd31415c17c in GArrayBase::resize(int, int) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/GContainer.cpp:220\n #2 0x7fd31405ede4 in GArrayTemplate<char>::resize(int) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/GContainer.h:496\n #3 0x7fd314054aff in DjVmDir::decode(GP<ByteStream> const&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVmDir.cpp:298\n #4 0x7fd3140c0b54 in display_djvm_dirm /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:172\n #5 0x7fd3140c2a64 in display_chunks /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:335\n #6 0x7fd3140c2b1f in display_chunks /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:342\n #7 0x7fd3140c31f0 in DjVuDumpHelper::dump(GP<ByteStream>) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/DjVuDumpHelper.cpp:361\n #8 0x562f0317dba7 in display(GURL const&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/djvudump.cpp:128\n #9 0x562f0317e35d in main /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/djvudump.cpp:178\n #10 0x7fd3135fbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)\n \n\nIt seems the vulnerability falls under the local attack category, therefore an out-of-bound read type vulnerability would not be directly threatening to the system. In our case specifically, it looks like the extra read would actually cause a crash somewhere in the `decode()` function.\n\nAssessed Attacker Value: 5\n", "modified": "2020-02-13T00:00:00", "published": "2020-02-13T00:00:00", "id": "AKB:0C951592-CB7F-4672-8788-014F4110580E", "href": "https://attackerkb.com/topics/RiJjoLBOzp/cve-2019-15142-djvulibre-out-of-bound-read-vulnerability", "type": "attackerkb", "title": "CVE-2019-15142: DjVuLibre Out-of-Bound Read Vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}]}