Stay Secure with the Latest Linux Advisories

security advisorymoderatesoftware update

openSUSE Leap 15.2: 2021:0618-1 Moderate: Nim Memory Crash

An update that fixes three vulnerabilities is now available. . openSUSE Security Update: Security update for nim ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0618-1 Rating: moderate References: #1185083 #1185084 #1185085 Cross-References: CVE-2021-21372 CVE-2021-21373 CVE-2021-21374 CVSS scores: CVE-2021-21374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nim fixes the following issues: num was updated to version 1.2.12: * Fixed GC crash resulting from inlining of the memory allocation procs * Fixed ???incorrect raises effect for $(NimNode)??? (#17454) From version 1.2.10: * Fixed ???JS backend doesn???t handle float-> int type conversion ??? (#8404) * Fixed ???The ???try except??? not work when the ???OSError: Too many open files??? error occurs!??? (#15925) * Fixed ???Nim emits #line 0 C preprocessor directives with ???debugger:native, with ICE in gcc-10??? (#15942) * Fixed ???tfuturevar fails when activated??? (#9695) * Fixed ???nre.escapeRe is not gcsafe??? (#16103) * Fixed ??????Error: internal error: genRecordFieldAux??? - in the ???version-1-4??? branch??? (#16069) * Fixed ???-d:fulldebug switch does not compile with gc:arc??? (#16214) * Fixed ???osLastError may randomly raise defect and crash??? (#16359) * Fixed ???generic importc proc???s don???t work (breaking lots of vmops procs for js)??? (#16428) * Fixed ???Concept: codegen ignores parameter passing??? (#16897) * Fixed ???{.push exportc.} interacts with anonymous functions??? (#16967) * Fixed ???memory allocation during {.global.} init breaks GC??? (#17085) * Fixed "Nimble arbitrary codeexecution for specially crafted package metadata" + p + (boo#1185083, CVE-2021-21372) * Fixed "Nimble falls back to insecure http url when fetching packages" + 8 + (boo#1185084, CVE-2021-21373) * Fixed "Nimble fails to validate certificates due to insecure httpClient defaults" + x + (boo#1185085, CVE-2021-21374) from version 1.2.8 * Fixed ???Defer and ???gc:arc??? (#15071) * Fixed ???Issue with ???gc:arc at compile time??? (#15129) * Fixed ???Nil check on each field fails in generic function??? (#15101) * Fixed ???[strscans] scanf doesn???t match a single character with $+ if it???s the end of the string??? (#15064) * Fixed ???Crash and incorrect return values when using readPasswordFromStdin on Windows.??? (#15207) * Fixed ???Inconsistent unsigned -> signed RangeDefect usage across integer sizes??? (#15210) * Fixed ???toHex results in RangeDefect exception when used with large uint64??? (#15257) * Fixed ???Mixing ???return??? with expressions is allowed in 1.2??? (#15280) * Fixed ???proc execCmdEx doesn???t work with -d:useWinAnsi??? (#14203) * Fixed ???memory corruption in tmarshall.nim??? (#9754) * Fixed ???Wrong number of variables??? (#15360) * Fixed ???defer doesnt work with block, break and await??? (#15243) * Fixed ???Sizeof of case object is incorrect. Showstopper??? (#15516) * Fixed ???Mixing ???return??? with expressions is allowed in 1.2??? (#15280) * Fixed ???regression(1.0.2 => 1.0.4) VM register messed up depending on unrelated context??? (#15704) from version 1.2.6 * Fixed ???The pegs module doesn???t work with generics!??? (#14718) * Fixed ???[goto exceptions] {.noReturn.} pragma is not detected in a case expression??? (#14458) * Fixed ???[exceptions:goto] C compiler error with dynlib pragma calling a proc??? (#14240) * Fixed ???Nim source archive install: ???install.sh??? fails with error: cp: cannotstat ???bin/nim-gdb???: No such file or directory??? (#14748) * Fixed ???Stropped identifiers don???t work as field names in tuple literals??? (#14911) * Fixed ???uri.decodeUrl crashes on incorrectly formatted input??? (#14082) * Fixed ???odbcsql module has some wrong integer types??? (#9771) * Fixed ???[ARC] Compiler crash declaring a finalizer proc directly in ???new?????? (#15044) * Fixed ???code with named arguments in proc of winim/com can not been compiled??? (#15056) * Fixed ???javascript backend produces javascript code with syntax error in object syntax??? (#14534) * Fixed ???[ARC] SIGSEGV when calling a closure as a tuple field in a seq??? (#15038) * Fixed ???Compiler crashes when using string as object variant selector with else branch??? (#14189) * Fixed ???Constructing a uint64 range on a 32-bit machine leads to incorrect codegen??? (#14616) Update to version 1.2.2: * See https://nim-lang.org/blog.html for details Update to version 1.0.2: * See https://nim-lang.org/blog.html for details Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-618=1 Package List: - openSUSE Leap 15.2 (x86_64): nim-1.2.12-lp152.2.3.1 nim-debuginfo-1.2.12-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2021-21372.html https://www.suse.com/security/cve/CVE-2021-21373.html https://www.suse.com/security/cve/CVE-2021-21374.html https://bugzilla.suse.com/1185083 https://bugzilla.suse.com/1185084 https://bugzilla.suse.com/1185085 . The latest openSUSE update addresses vulnerabilities and memory management concerns within the nim package. Discover more details!. openSUSE Update,Nim Fix,Memory Allocation,Software Patch. . LinuxSecurity.com Team

Apr 25, 2021 OpenSUSE