EulerOS 2.0 SP2 : libXfont (EulerOS-SA-2019-2357)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(131849);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/05");

  script_cve_id(
    "CVE-2011-2895",
    "CVE-2017-13720",
    "CVE-2017-13722",
    "CVE-2017-16611"
  );
  script_bugtraq_id(49124);

  script_name(english:"EulerOS 2.0 SP2 : libXfont (EulerOS-SA-2019-2357)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the libXfont package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - The LZW decompressor in (1) the BufCompressedFill
    function in fontfile/decompress.c in X.Org libXfont
    before 1.4.4 and (2) compress/compress.c in 4.3BSD, as
    used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD
    4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1,
    FreeType 2.1.9, and other products, does not properly
    handle code words that are absent from the
    decompression table when encountered, which allows
    context-dependent attackers to trigger an infinite loop
    or a heap-based buffer overflow, and possibly execute
    arbitrary code, via a crafted compressed stream, a
    related issue to CVE-2006-1168 and
    CVE-2011-2896.(CVE-2011-2895)

  - In the pcfGetProperties function in bitmap/pcfread.c in
    libXfont through 1.5.2 and 2.x before 2.0.2, a missing
    boundary check (for PCF files) could be used by local
    attackers authenticated to an Xserver for a buffer
    over-read, for information disclosure or a crash of the
    X server.(CVE-2017-13722)

  - In the PatternMatch function in fontfile/fontdir.c in
    libXfont through 1.5.2 and 2.x before 2.0.2, an
    attacker with access to an X connection can cause a
    buffer over-read during pattern matching of fonts,
    leading to information disclosure or a crash (denial of
    service). This occurs because '\0' characters are
    incorrectly skipped in situations involving ?
    characters.(CVE-2017-13720)

  - In libXfont before 1.5.4 and libXfont2 before 2.0.3, a
    local attacker can open (but not read) files on the
    system as root, triggering tape rewinds, watchdogs, or
    similar mechanisms that can be triggered by opening
    files.(CVE-2017-16611)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2357
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bd72a1c");
  script_set_attribute(attribute:"solution", value:
"Update the affected libXfont packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-2895");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-13722");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libXfont");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["libXfont-1.5.1-2.h2"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXfont");
}