SUSE 5146 Published by

A nim security update has been released for SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2022:10095-1: important: Security update for nim


openSUSE Security Update: Security update for nim
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:10095-1
Rating: important
References: #1175332 #1175333 #1175334 #1181705 #1185083
#1185084 #1185085 #1185948 #1192712
Cross-References: CVE-2020-15690 CVE-2020-15692 CVE-2020-15693
CVE-2020-15694 CVE-2021-21372 CVE-2021-21373
CVE-2021-21374 CVE-2021-29495 CVE-2021-41259

CVSS scores:
CVE-2020-15690 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-15692 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-15693 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE-2020-15694 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-21372 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-21373 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-21374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-29495 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-41259 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________

An update that fixes 9 vulnerabilities is now available.

Description:

This update for nim fixes the following issues:

Includes upstream security fixes for:

* (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF
injection
* (boo#1175334, CVE-2020-15692) mishandle of argument to
browsers.openDefaultBrowser
* (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to
properly validate the server response
* (boo#1192712, CVE-2021-41259) null byte accepted in getContent function,
leading to URI validation bypass
* (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer
certificates by default
* (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS
certificate
* (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a non-TLS
URL in case of error
* (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute
arbitrary commands
* (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a
check for newline character

Following nim tools now work as expected:

* nim_dbg is now installed.
* nim-gdb can be successfully launched as it finds and loads nim-gdb.py
correctly under gdb.
* nimble package manager stores package information per user.
* compiler package can be found and used, as it may be required by other
packages.

Update to 1.6.6

* standard library use consistent styles for variable names so it can be
used in projects which force a consistent style with
--styleCheck:usages option.
* ARC/ORC are now considerably faster at method dispatching, bringing its
performance back on the level of the refc memory management.
* Full changelog:
  https://nim-lang.org/blog/2022/05/05/version-166-released.html
- Previous updates and changelogs:
* 1.6.4:   https://nim-lang.org/blog/2022/02/08/version-164-released.html
* 1.6.2:   https://nim-lang.org/blog/2021/12/17/version-162-released.html
* 1.6.0:   https://nim-lang.org/blog/2021/10/19/version-160-released.html
* 1.4.8:   https://nim-lang.org/blog/2021/05/25/version-148-released.html
* 1.4.6:
  https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html
* 1.4.4:
  https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html
* 1.4.2:   https://nim-lang.org/blog/2020/12/01/version-142-released.html
* 1.4.0:   https://nim-lang.org/blog/2020/10/16/version-140-released.html

Update to 1.2.16

* oids: switch from PRNG to random module
* nimc.rst: fix table markup
* nimRawSetjmp: support Windows
* correctly enable chronos
* bigints are not supposed to work on 1.2.x
* disable nimpy
* misc bugfixes
* fixes a 'mixin' statement handling regression [backport:1.2

Update to version 1.2.12

* Fixed GC crash resulting from inlining of the memory allocation procs
* Fixed ???incorrect raises effect for $(NimNode)??? (#17454)
- from version 1.2.10
* Fixed ???JS backend doesn???t handle float->int type conversion ???
(#8404)
* Fixed ???The ???try except??? not work when the ???OSError: Too many
open files??? error occurs!??? (#15925)
* Fixed ???Nim emits #line 0 C preprocessor directives with
???debugger:native, with ICE in gcc-10??? (#15942)
* Fixed ???tfuturevar fails when activated??? (#9695)
* Fixed ???nre.escapeRe is not gcsafe??? (#16103)
* Fixed ??????Error: internal error: genRecordFieldAux??? - in the
???version-1-4??? branch??? (#16069)
* Fixed ???-d:fulldebug switch does not compile with gc:arc??? (#16214)
* Fixed ???osLastError may randomly raise defect and crash??? (#16359)
* Fixed ???generic importc proc???s don???t work (breaking lots
of vmops procs for js)??? (#16428)
* Fixed ???Concept: codegen ignores parameter passing??? (#16897)
* Fixed ???{.push exportc.} interacts with anonymous functions??? (#16967)
* Fixed ???memory allocation during {.global.} init breaks GC??? (#17085)
* Fixed "Nimble arbitrary code execution for specially crafted package
metadata"
+
  https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962
p
+ (boo#1185083, CVE-2021-21372)
* Fixed "Nimble falls back to insecure http url when fetching packages"
+
  https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp
8
+ (boo#1185084, CVE-2021-21373)
* Fixed "Nimble fails to validate certificates due to insecure httpClient
defaults"
+
  https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhx
x
+ (boo#1185085, CVE-2021-21374)
- from version 1.2.8
* Fixed ???Defer and ???gc:arc??? (#15071)
* Fixed ???Issue with ???gc:arc at compile time??? (#15129)
* Fixed ???Nil check on each field fails in generic function??? (#15101)
* Fixed ???[strscans] scanf doesn???t match a single character with $+ if
it???s the end of the string??? (#15064)
* Fixed ???Crash and incorrect return values when using
readPasswordFromStdin on Windows.??? (#15207)
* Fixed ???Inconsistent unsigned -> signed RangeDefect usage across
integer sizes??? (#15210)
* Fixed ???toHex results in RangeDefect exception when used with large
uint64??? (#15257)
* Fixed ???Mixing ???return??? with expressions is allowed in 1.2???
(#15280)
* Fixed ???proc execCmdEx doesn???t work with -d:useWinAnsi??? (#14203)
* Fixed ???memory corruption in tmarshall.nim??? (#9754)
* Fixed ???Wrong number of variables??? (#15360)
* Fixed ???defer doesnt work with block, break and await??? (#15243)
* Fixed ???Sizeof of case object is incorrect. Showstopper??? (#15516)
* Fixed ???Mixing ???return??? with expressions is allowed in 1.2???
(#15280)
* Fixed ???regression(1.0.2 => 1.0.4) VM register messed up depending on
unrelated context??? (#15704)
- from version 1.2.6
* Fixed ???The pegs module doesn???t work with generics!??? (#14718)
* Fixed ???[goto exceptions] {.noReturn.} pragma is not detected in a case
expression??? (#14458)
* Fixed ???[exceptions:goto] C compiler error with dynlib pragma calling a
proc??? (#14240)
* Fixed ???Nim source archive install: ???install.sh??? fails with error:
cp: cannot stat ???bin/nim-gdb???: No such file or directory??? (#14748)
* Fixed ???Stropped identifiers don???t work as field names in tuple
literals??? (#14911)
* Fixed ???uri.decodeUrl crashes on incorrectly formatted input??? (#14082)
* Fixed ???odbcsql module has some wrong integer types??? (#9771)
* Fixed ???[ARC] Compiler crash declaring a finalizer proc directly in
???new?????? (#15044)
* Fixed ???code with named arguments in proc of winim/com can not been
compiled??? (#15056)
* Fixed ???javascript backend produces javascript code with syntax error
in object syntax??? (#14534)
* Fixed ???[ARC] SIGSEGV when calling a closure as a tuple field in a
seq??? (#15038)
* Fixed ???Compiler crashes when using string as object variant selector
with else branch??? (#14189)
* Fixed ???Constructing a uint64 range on a 32-bit machine leads to
incorrect codegen??? (#14616)

Update to version 1.2.2:

* See   https://nim-lang.org/blog.html for details
- Enable the full testsuite in the %check section
* Add build dependencies to run the testsuite
* Whitelists a few tests that are not passing yet

Update to version 1.0.2:

* See   https://nim-lang.org/blog.html for details
- Update dependencies (based on changes by Federico Ceratto

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2022-10095=1


Package List:

- openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64):

nim-1.6.6-bp153.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2020-15690.html
  https://www.suse.com/security/cve/CVE-2020-15692.html
  https://www.suse.com/security/cve/CVE-2020-15693.html
  https://www.suse.com/security/cve/CVE-2020-15694.html
  https://www.suse.com/security/cve/CVE-2021-21372.html
  https://www.suse.com/security/cve/CVE-2021-21373.html
  https://www.suse.com/security/cve/CVE-2021-21374.html
  https://www.suse.com/security/cve/CVE-2021-29495.html
  https://www.suse.com/security/cve/CVE-2021-41259.html
  https://bugzilla.suse.com/1175332
  https://bugzilla.suse.com/1175333
  https://bugzilla.suse.com/1175334
  https://bugzilla.suse.com/1181705
  https://bugzilla.suse.com/1185083
  https://bugzilla.suse.com/1185084
  https://bugzilla.suse.com/1185085
  https://bugzilla.suse.com/1185948
  https://bugzilla.suse.com/1192712