openSUSE Security Update: Security update for nim
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0618-1
Rating:             moderate
References:         #1185083 #1185084 #1185085 
Cross-References:   CVE-2021-21372 CVE-2021-21373 CVE-2021-21374
                   
CVSS scores:
                    CVE-2021-21374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for nim fixes the following issues:

   num was updated to version 1.2.12:

   * Fixed GC crash resulting from inlining of the memory allocation procs
   * Fixed ???incorrect raises effect for $(NimNode)??? (#17454)

   From version 1.2.10:

   * Fixed ???JS backend doesn???t handle float->int type conversion ???
     (#8404)
   * Fixed ???The ???try except??? not work when the ???OSError: Too many
     open files??? error occurs!??? (#15925)
   * Fixed ???Nim emits #line 0 C preprocessor directives with
     ???debugger:native, with ICE in gcc-10??? (#15942)
   * Fixed ???tfuturevar fails when activated??? (#9695)
   * Fixed ???nre.escapeRe is not gcsafe??? (#16103)
   * Fixed ??????Error: internal error: genRecordFieldAux??? - in the
     ???version-1-4??? branch??? (#16069)
   * Fixed ???-d:fulldebug switch does not compile with gc:arc??? (#16214)
   * Fixed ???osLastError may randomly raise defect and crash??? (#16359)
   * Fixed ???generic importc proc???s don???t work (breaking lots
     of vmops procs for js)??? (#16428)
   * Fixed ???Concept: codegen ignores parameter passing??? (#16897)
   * Fixed ???{.push exportc.} interacts with anonymous functions??? (#16967)
   * Fixed ???memory allocation during {.global.} init breaks GC??? (#17085)
   * Fixed "Nimble arbitrary code execution for specially crafted package
     metadata"
     +
   https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962
       p
     + (boo#1185083, CVE-2021-21372)
   * Fixed "Nimble falls back to insecure http url when fetching packages"
     +
   https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp
       8
     + (boo#1185084, CVE-2021-21373)
   * Fixed "Nimble fails to validate certificates due to insecure httpClient
     defaults"
     +
   https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhx
       x
     + (boo#1185085, CVE-2021-21374)

   from version 1.2.8

   * Fixed ???Defer and ???gc:arc??? (#15071)
   * Fixed ???Issue with ???gc:arc at compile time??? (#15129)
   * Fixed ???Nil check on each field fails in generic function??? (#15101)
   * Fixed ???[strscans] scanf doesn???t match a single character with $+ if
     it???s the end of the string??? (#15064)
   * Fixed ???Crash and incorrect return values when using
     readPasswordFromStdin on Windows.??? (#15207)
   * Fixed ???Inconsistent unsigned -> signed RangeDefect usage across
     integer sizes??? (#15210)
   * Fixed ???toHex results in RangeDefect exception when used with large
     uint64??? (#15257)
   * Fixed ???Mixing ???return??? with expressions is allowed in 1.2???
     (#15280)
   * Fixed ???proc execCmdEx doesn???t work with -d:useWinAnsi??? (#14203)
   * Fixed ???memory corruption in tmarshall.nim??? (#9754)
   * Fixed ???Wrong number of variables??? (#15360)
   * Fixed ???defer doesnt work with block, break and await??? (#15243)
   * Fixed ???Sizeof of case object is incorrect. Showstopper??? (#15516)
   * Fixed ???Mixing ???return??? with expressions is allowed in 1.2???
     (#15280)
   * Fixed ???regression(1.0.2 => 1.0.4) VM register messed up depending on
     unrelated context??? (#15704)

   from version 1.2.6

   * Fixed ???The pegs module doesn???t work with generics!??? (#14718)
   * Fixed ???[goto exceptions] {.noReturn.} pragma is not detected in a case
     expression??? (#14458)
   * Fixed ???[exceptions:goto] C compiler error with dynlib pragma calling a
     proc??? (#14240)
   * Fixed ???Nim source archive install: ???install.sh??? fails with error:
     cp: cannot stat ???bin/nim-gdb???: No such file or directory??? (#14748)
   * Fixed ???Stropped identifiers don???t work as field names in tuple
     literals??? (#14911)
   * Fixed ???uri.decodeUrl crashes on incorrectly formatted input??? (#14082)
   * Fixed ???odbcsql module has some wrong integer types??? (#9771)
   * Fixed ???[ARC] Compiler crash declaring a finalizer proc directly in
     ???new?????? (#15044)
   * Fixed ???code with named arguments in proc of winim/com can not been
     compiled??? (#15056)
   * Fixed ???javascript backend produces javascript code with syntax error
     in object syntax??? (#14534)
   * Fixed ???[ARC] SIGSEGV when calling a closure as a tuple field in a
     seq??? (#15038)
   * Fixed ???Compiler crashes when using string as object variant selector
     with else branch??? (#14189)
   * Fixed ???Constructing a uint64 range on a 32-bit machine leads to
     incorrect codegen??? (#14616)

   Update to version 1.2.2:

   * See https://nim-lang.org/blog.html for details

   Update to version 1.0.2:

   * See https://nim-lang.org/blog.html for details


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-618=1



Package List:

   - openSUSE Leap 15.2 (x86_64):

      nim-1.2.12-lp152.2.3.1
      nim-debuginfo-1.2.12-lp152.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-21372.html
   https://www.suse.com/security/cve/CVE-2021-21373.html
   https://www.suse.com/security/cve/CVE-2021-21374.html
   https://bugzilla.suse.com/1185083
   https://bugzilla.suse.com/1185084
   https://bugzilla.suse.com/1185085