Security update for nasm

Announcement ID:	SUSE-SU-2020:1843-1
Rating:	moderate
References:	bsc#1084631 bsc#1086186 bsc#1086227 bsc#1086228 bsc#1090519 bsc#1090840 bsc#1106878 bsc#1107592 bsc#1107594 bsc#1108404 bsc#1115758 bsc#1115774 bsc#1115795 bsc#1173538 jsc#ECO-2098
Cross-References:	CVE-2018-1000667 CVE-2018-10016 CVE-2018-10254 CVE-2018-10316 CVE-2018-16382 CVE-2018-16517 CVE-2018-16999 CVE-2018-19214 CVE-2018-19215 CVE-2018-19216 CVE-2018-8881 CVE-2018-8882 CVE-2018-8883
CVSS scores:	CVE-2018-1000667 ( SUSE ): 2.5 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-1000667 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-10016 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-10016 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-10254 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-10254 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-10316 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-10316 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-16382 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-16517 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-16517 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-16517 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-16999 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-16999 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-19214 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVE-2018-19214 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-19215 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVE-2018-19215 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-19216 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-19216 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-8881 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-8881 ( NVD ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2018-8882 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-8882 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-8883 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-8883 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Development Tools Module 15-SP2 Development Tools Module 15-SP1 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.0 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.0 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.0 SUSE Manager Server 4.1

An update that solves 13 vulnerabilities, contains one feature and has one security fix can now be installed.

Description:

This update for nasm fixes the following issues:

nasm was updated to version 2.14.02.

This allows building of Mozilla Firefox 78ESR and also contains lots of bugfixes, security fixes and improvements.

• Fix crash due to multiple errors or warnings during the code generation pass if a list file is specified.
• Create all system-defined macros defore processing command-line given preprocessing directives (-p, -d, -u, --pragma, --before).
• If debugging is enabled, define a DEBUG_FORMAT predefined macro. See section 4.11.7.
• Fix an assert for the case in the obj format when a SEG operator refers to an EXTERN symbol declared further down in the code.
• Fix a corner case in the floating-point code where a binary, octal or hexadecimal floating-point having at least 32, 11, or 8 mantissa digits could produce slightly incorrect results under very specific conditions.
• Support -MD without a filename, for gcc compatibility. -MF can be used to set the dependencies output filename. See section 2.1.7.
• Fix -E in combination with -MD. See section 2.1.21.
• Fix missing errors on redefined labels; would cause convergence failure instead which is very slow and not easy to debug.
• Duplicate definitions of the same label with the same value is now explicitly permitted (2.14 would allow it in some circumstances.)
• Add the option --no-line to ignore %line directives in the source. See section 2.1.33 and section 4.10.1.
• Changed -I option semantics by adding a trailing path separator unconditionally.
• Fixed null dereference in corrupted invalid single line macros.
• Fixed division by zero which may happen if source code is malformed.
• Fixed out of bound access in processing of malformed segment override.
• Fixed out of bound access in certain EQU parsing.
• Fixed buffer underflow in float parsing.
• Added SGX (Intel Software Guard Extensions) instructions.
• Added +n syntax for multiple contiguous registers.
• Fixed subsections_via_symbols for macho object format.
• Added the --gprefix, --gpostfix, --lprefix, and --lpostfix command line options, to allow command line base symbol renaming. See section 2.1.28.
• Allow label renaming to be specified by %pragma in addition to from the command line. See section 6.9.
• Supported generic %pragma namespaces, output and debug. See section 6.10.
• Added the --pragma command line option to inject a %pragma directive. See section 2.1.29.
• Added the --before command line option to accept preprocess statement before input. See section 2.1.30.
• Added AVX512 VBMI2 (Additional Bit Manipulation), VNNI (Vector Neural Network), BITALG (Bit Algorithm), and GFNI (Galois Field New Instruction) instructions.
• Added the STATIC directive for local symbols that should be renamed using global-symbol rules. See section 6.8.
• Allow a symbol to be defined as EXTERN and then later overridden as GLOBAL or COMMON. Furthermore, a symbol declared EXTERN and then defined will be treated as GLOBAL. See section 6.5.
• The GLOBAL directive no longer is required to precede the definition of the symbol.
• Support private_extern as macho specific extension to the GLOBAL directive. See section 7.8.5.
• Updated UD0 encoding to match with the specification
• Added the --limit-X command line option to set execution limits. See section 2.1.31.
• Updated the Codeview version number to be aligned with MASM.
• Added the --keep-all command line option to preserve output files. See section 2.1.32.
• Added the --include command line option, an alias to -P (section 2.1.18).
• Added the --help command line option as an alias to -h (section 3.1).
• Added -W, -D, and -Q suffix aliases for RET instructions so the operand sizes of these instructions can be encoded without using o16, o32 or o64.

New upstream version 2.13.03:

• Add flags: AES, VAES, VPCLMULQDQ
• Add VPCLMULQDQ instruction
• elf: Add missing dwarf loc section
• documentation updates

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Development Tools Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1843=1
• Development Tools Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-1843=1

Package List:

• Development Tools Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • nasm-debuginfo-2.14.02-3.4.1
  • nasm-debugsource-2.14.02-3.4.1
  • nasm-2.14.02-3.4.1
• Development Tools Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • nasm-debuginfo-2.14.02-3.4.1
  • nasm-debugsource-2.14.02-3.4.1
  • nasm-2.14.02-3.4.1

References:

• https://www.suse.com/security/cve/CVE-2018-1000667.html
• https://www.suse.com/security/cve/CVE-2018-10016.html
• https://www.suse.com/security/cve/CVE-2018-10254.html
• https://www.suse.com/security/cve/CVE-2018-10316.html
• https://www.suse.com/security/cve/CVE-2018-16382.html
• https://www.suse.com/security/cve/CVE-2018-16517.html
• https://www.suse.com/security/cve/CVE-2018-16999.html
• https://www.suse.com/security/cve/CVE-2018-19214.html
• https://www.suse.com/security/cve/CVE-2018-19215.html
• https://www.suse.com/security/cve/CVE-2018-19216.html
• https://www.suse.com/security/cve/CVE-2018-8881.html
• https://www.suse.com/security/cve/CVE-2018-8882.html
• https://www.suse.com/security/cve/CVE-2018-8883.html
• https://bugzilla.suse.com/show_bug.cgi?id=1084631
• https://bugzilla.suse.com/show_bug.cgi?id=1086186
• https://bugzilla.suse.com/show_bug.cgi?id=1086227
• https://bugzilla.suse.com/show_bug.cgi?id=1086228
• https://bugzilla.suse.com/show_bug.cgi?id=1090519
• https://bugzilla.suse.com/show_bug.cgi?id=1090840
• https://bugzilla.suse.com/show_bug.cgi?id=1106878
• https://bugzilla.suse.com/show_bug.cgi?id=1107592
• https://bugzilla.suse.com/show_bug.cgi?id=1107594
• https://bugzilla.suse.com/show_bug.cgi?id=1108404
• https://bugzilla.suse.com/show_bug.cgi?id=1115758
• https://bugzilla.suse.com/show_bug.cgi?id=1115774
• https://bugzilla.suse.com/show_bug.cgi?id=1115795
• https://bugzilla.suse.com/show_bug.cgi?id=1173538
• https://jira.suse.com/browse/ECO-2098