The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.

    Qualys Security AdvisoryLeeloo Multipath: Authorization bypass and symlink attack in multipathd(CVE-2022-41974 and CVE-2022-41973)========================================================================Contents========================================================================SummaryCVE-2022-41974: Authorization bypassCVE-2022-41973: Symlink attackAcknowledgmentsTimeline========================================================================Summary========================================================================We discovered two local vulnerabilities (an authorization bypass and asymlink attack) in multipathd, a daemon that is running as root in thedefault installation of (for example) Ubuntu Server:https://ubuntu.com/server/docs/device-mapper-multipathing-introductionhttps://github.com/opensvc/multipath-toolsWe combined these two vulnerabilities with a third vulnerability, inanother package that is also installed by default on Ubuntu Server, andobtained full root privileges on Ubuntu Server 22.04; other releases areprobably also exploitable. We will publish this third vulnerability, andthe complete details of this local privilege escalation, in an upcomingadvisory.The authorization bypass (CVE-2022-41974) was introduced in February2017 (version 0.7.0) by commit 9acda0c ("Perform socket client uid checkon IPC commands"), but earlier versions perform no authorization checksat all: any unprivileged local user can issue any privileged command tomultipathd.The symlink attack (CVE-2022-41973) was introduced in May 2018 (version0.7.7) by commit 65d0a63 ("functions to indicate mapping failure in/dev/shm"); the vulnerable code was hardened significantly in May 2020(version 0.8.5) by commit 40ee3ea ("simplify failed wwid code"), but itremains exploitable nonetheless.========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep 'multipath[d]'root         377       1  0 13:55 ?        00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep 'multipathd'u_str LISTEN 0      4096        @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, "list" is 1 (1<<0), "add" is 2 (1<<1), and "path" (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163         r += add_key(keys, "list", LIST, 0);164         r += add_key(keys, "show", LIST, 0);165         r += add_key(keys, "add", ADD, 0);...183         r += add_key(keys, "path", PATH, 1);------------------------------------------------------------------------ 53 #define LIST            (1ULL << __LIST) 54 #define ADD             (1ULL << __ADD) .. 69 #define PATH            (1ULL << __PATH)------------------------------------------------------------------------  6 enum {  7         __LIST,                 /*  0 */  8         __ADD, .. 23         __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command "list path PARAM" is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command "add path PARAM"is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527         set_handler_callback(LIST+PATH, cli_list_path);....1549         set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325         uint64_t fp = 0;...331         vector_foreach_slot(vec, kw, i)332                 fp += kw->code;333 334         return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95         vector_foreach_slot (handlers, h, i) 96                 if (h->fingerprint == fp) 97                         return h; 98  99         return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485         case CLT_PARSE:486                 c->error = parse_cmd(c);487                 if (!c->error) {...491                         if (!c->is_root && kw->code != LIST) {492                                 c->error = -EPERM;...495                         }496                 }497                 if (c->error)...501                 else502                         set_client_state(c, CLT_WORK);...522         case CLT_WORK:523                 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client's UID (obtained from SO_PEERCRED) is 0  (i.e., if is_root is true), then the client is privileged; otherwise,  it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute  any commands; otherwise, only unprivileged LIST commands are allowed  (i.e., commands whose first keyword is either "list" or "show").Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is "list")but whose fingerprint matches a privileged command (by repeating the"list" keyword): we can exploit this flaw to bypass multipathd'sauthorization check.For example, we are not allowed to execute "add path PARAM" (whosefingerprint is 2+65536=65538) because the first keyword is not "list",but we are allowed to execute the equivalent "list list path PARAM"(whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is "list" (the multipathd daemon below replies"blacklisted" because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.========================================================================CVE-2022-41973: Symlink attack========================================================================multipathd operates insecurely, as root, in /dev/shm (a sticky,world-writable directory similar to /tmp). The vulnerable code (inmark_failed_wwid()) may be executed during the normal lifetime ofmultipathd, but a local attacker can force its execution by exploitingthe authorization bypass CVE-2022-41974; for example, by adding a"whitelisted, unmonitored" device to multipathd:------------------------------------------------------------------------$ multipathd list devices | grep 'whitelisted, unmonitored'    sda1 devnode whitelisted, unmonitored    ...$ multipathd list list path sda1fail------------------------------------------------------------------------This command, which is equivalent to "add path sda1", results in thefollowing system-call trace (strace) of the multipathd daemon:------------------------------------------------------------------------386 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = -1 ENOENT (No such file or directory)387 mkdir("/dev", 0700)                     = -1 EEXIST (File exists)388 mkdir("/dev/shm", 0700)                 = -1 EEXIST (File exists)389 mkdir("/dev/shm/multipath", 0700)       = 0390 mkdir("/dev/shm/multipath/failed_wwids", 0700) = 0391 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = 12392 getpid()                                = 375393 openat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", O_RDONLY|O_CREAT|O_EXCL, 0400) = 13394 close(13)                               = 0395 linkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 12, "VBOX_HARDDISK_VB60265ca5-df119cb6", 0) = 0396 unlinkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 0) = 0397 close(12)                               = 0------------------------------------------------------------------------- at line 389, the directory "/dev/shm/multipath" is created, if it does  not exist already;- at line 390, the directory "/dev/shm/multipath/failed_wwids" is  created, if it does not exist already;- at lines 391-397, the empty file  "/dev/shm/multipath/failed_wwids/VBOX_HARDDISK_VB60265ca5-df119cb6" is  created, if it does not exist already (its name is the "World Wide ID"  of the added device).multipathd is therefore vulnerable to two different symlink attacks:1/ if we (attackers) create an arbitrary symlink "/dev/shm/multipath",then we can create a directory named "failed_wwids" (user root, grouproot, mode 0700) anywhere in the filesystem;2/ if we create an arbitrary symlink "/dev/shm/multipath/failed_wwids",then we can create a file named "VBOX_HARDDISK_VB60265ca5-df119cb6"(user root, group root, mode 0400, size 0) anywhere in the filesystem.These two symlink attacks are very weak, because we do not control thename, user, group, mode, or contents of the directory or file that wecreate; only its location. Despite these limitations, we were able tocombine multipathd's vulnerabilities (authorization bypass and symlinkattack) with a third vulnerability (in another package), and obtainedfull root privileges on Ubuntu Server 22.04; we will publish this thirdvulnerability in an upcoming advisory.Side note: initially, we thought that the symlink attack 1/ would fail,because /dev/shm is a sticky world-writable directory, and the kernel'sfs.protected_symlinks is 1 by default; to our great surprise, however,it succeeded. Eventually, we understood that only the final component ofa path is protected, not its intermediate components; for example, if/tmp/foo is a symlink, then an access to /tmp/foo itself is protected,but an access to /tmp/foo/bar is not. Interestingly, this weakness wasalready pointed out in 2017 by Solar Designer, and the originalOpenwall, grsecurity, and Yama protections are not affected:https://www.openwall.com/lists/kernel-hardening/2017/06/06/74========================================================================Acknowledgments========================================================================We thank Martin Wilck and Benjamin Marzinski for their hard work on thisrelease, and the SUSE Security Team for their help with this disclosure.We also thank the members of linux-distros@openwall.========================================================================Timeline========================================================================2022-08-24: Advisory sent to security@suse.2022-10-10: Advisory and patches sent to linux-distros@openwall.2022-10-24: Coordinated Release Date (15:00 UTC).

Leeloo Multipath Authorization Bypass / Symlink Attack

Gentoo Linux Security Advisory 202210-32 - An integer overflow has been found in hiredis which could result in arbitrary code execution. Versions less than 1.0.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: hiredis, hiredis-py: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873079, #816318  
       ID: 202210-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

An integer overflow has been found in hiredis which could result in  
arbitrary code execution.

Background  
==========

hiredis is a minimalistic C client library for the Redis database.

hiredis-py is a Python extension that wraps hiredis.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/hiredis           < 1.0.1                      >= 1.0.1  
  2  dev-python/hiredis         < 2.0.0                      >= 2.0.0

Description  
===========

Hiredis is vulnerable to integer overflow if provided maliciously  
crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing  
`multi-bulk` (array-like) replies, hiredis fails to check if `count *  
sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not,  
and the `calloc()` call doesn't itself make this check, it would result  
in a short allocation and subsequent buffer overflow.

Impact  
======

Malicious Redis commands could result in remote code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All hiredis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1"

All hiredis-py users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0"

References  
==========

[ 1 ] CVE-2021-32765  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32765

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-32

Debian Linux Security Advisory 5266-1 - A heap use-after-free vulnerability after overeager destruction of a shared DTD in the XML_ExternalEntityParserCreate function in Expat, an XML parsing C library, may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5266-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 30, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : expatCVE ID         : CVE-2022-43680Debian Bug     : 1022743A heap use-after-free vulnerability after overeager destruction of ashared DTD in the XML_ExternalEntityParserCreate function in Expat, anXML parsing C library, may result in denial of service or potentiallythe execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 2.2.10-2+deb11u5.We recommend that you upgrade your expat packages.For the detailed security status of expat please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/expatFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNehABfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TT5RAAiDBqtdgoagQspAsmWvoT1IJw0fsx2IFA4ynzyAI33nXegNKfDUGmc9wWKVm4APPaFWvy9s4hlA7HeMUdRQRxuW2iL5q3Jnkbjcnm1kISTgxPymt0HFeJWr9TVRSQt0OqUtzzOvNAz2lSd86551EMPa/oS0fvLq/vDTC3mTL1WsoMsouJR+l7potTMtJf43G10AmfLx+XgSsfmHU2Hvf5S2PO7aEmNHic9HW7bwUqm6KF2lZs5Qo4IVykqQ3eKufLg0HZcOi+QMWxpKYzxOR/tnzYHjLAzTI7yjugBBufcaux1kYnB0ULnDLfOc+uHXuhttfji4sbEzGB9uWDX+rhtBszcaM/Ww53J8tDy3chnv93pi5em1ABQljrPjFz/+N4g4tsNgdCTvMjT332kPi6W9zFUA/iB21LP4H7xc3stGCVubZW0UVcvOu2ubCabr/XQBOtlnc4tj/L9UyQW+Rfqe9x1WHkhwTuHMg8/YcqWljv3LwTz1DXfyFF0vmSlliOr0POP7I0iJvrw647rVBaNEsVPNqFhPu5Ro5jd5y3gt+f763J692JXfTPQJc3PaJz37NCdupga7lPu1W5cSLAYtze5JxqH4XJaKFprpaGfo3OFIDas0Z5yIs8DxMbjmY9VlpMQ8vKfHYPgoKV+NRv9bKKpBLxYI/o4bq8uA4JgpE==bLU+-----END PGP SIGNATURE-----

Debian Security Advisory 5266-1

Gentoo Linux Security Advisory 202210-31 - Multiple vulnerabilities have been discovered in OpenEXR, the worst of which could result in arbitrary code execution. Versions less than 3.1.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-31  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: OpenEXR: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #838079, #830384, #817431, #810541, #801373, #787452  
       ID: 202210-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in OpenEXR, the worst of  
which could result in arbitrary code execution.

Background  
==========

OpenEXR is a high dynamic-range (HDR) image file format developed by  
Industrial Light & Magic for use in computer imaging applications.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/openexr         < 3.1.5                      >= 3.1.5

Description  
===========

Multiple vulnerabilities have been discovered in OpenEXR. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All OpenEXR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/openexr-3.1.5"

References  
==========

[ 1 ] CVE-2021-3598  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3598  
[ 2 ] CVE-2021-3605  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3605  
[ 3 ] CVE-2021-3933  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3933  
[ 4 ] CVE-2021-3941  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3941  
[ 5 ] CVE-2021-20304  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20304  
[ 6 ] CVE-2021-23169  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23169  
[ 7 ] CVE-2021-45942  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45942

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-31

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-31

Debian Linux Security Advisory 5265-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5265-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 29, 2022                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2021-43980 CVE-2022-23181 CVE-2022-29885

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2021-43980

    The simplified implementation of blocking reads and writes introduced in  
    Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing  
    (but extremely hard to trigger) concurrency bug that could cause client  
    connections to share an Http11Processor instance resulting in responses, or  
    part responses, to be received by the wrong client.

CVE-2022-23181

    The fix for bug CVE-2020-9484 introduced a time of check, time of use  
    vulnerability into Apache Tomcat that allowed a local attacker to perform  
    actions with the privileges of the user that the Tomcat process is using.  
    This issue is only exploitable when Tomcat is configured to persist  
    sessions using the FileStore.

CVE-2022-29885

    The documentation of Apache Tomcat for the EncryptInterceptor incorrectly  
    stated it enabled Tomcat clustering to run over an untrusted network. This  
    was not correct. While the EncryptInterceptor does provide confidentiality  
    and integrity protection, it does not protect against all risks associated  
    with running over any untrusted network, particularly DoS risks.

For the stable distribution (bullseye), these problems have been fixed in  
version 9.0.43-2~deb11u4.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdoYJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRLxxAAzz/exjL7ERlJfqqvv1ofnRRmmJYtqaofzV8Ewb/xrFIQM8ZXohWLF9a0  
s0monZtUm+eQEKM3nYl1nXPI4l/shKnvo9yU17gcxqBgzBeYqsX9hqDm2Ie0raS7  
n22rwO4fHcQJ7vhSx2oYNL++YbEYQFEZgz+ZfiOLStHc2pIq2fxi4+jXuXHMUwuS  
KuCOYF8VLBjY87T7BT168GtKi02sIQzbXgAQSAGU6WsOvV4DLjagn/g+b1lK8F5u  
xO6rU2iM6pR73Ei2H2pb1B39BGhjorub7L2GQfiIMKf3bD7M+jflCnGq3n/xsUrO  
6PkaSCaN4DEip9V+3DBJ4TcOj0x/LzHMHimDoZ/CLI5qoPq5KWS4L7AKXM876+v5  
HIIzDH5B5INTeSEoVDkgKVx2fy8ZbaeDV+cmFTjXb+pmFpxxEuPGRYJg3Mv8PsqZ  
qPUqyrTKx8treIfXNJhJL00omDAX1T75H38BMNv56BbAHcBfszyFHHzr9uPo0+Fc  
tLYanZlx48IfCLXhOl2VcyE5up1snJmtMG1S2wFfl4btVfApGSAzAxSeYau+EGTu  
poFmm/5atf68cKEyGIuPFeNk97mqIp55gDi5lks/Cs7wW/EJndzFd/g5LwXb1HO1  
E30OhC79DT0Jlwpw3+VhS475K3XzGOhnk4x6DA1a/NtAzzaz7dg=  
=U52K  
-----END PGP SIGNATURE-----

Debian Security Advisory 5265-1

Gentoo Linux Security Advisory 202210-30 - Multiple vulnerabilities have been discovered in the Xorg Server and XWayland, the worst of which can result in remote code execution. Versions less than 21.1.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-30  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: X.Org X server, XWayland: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #857780  
       ID: 202210-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in the Xorg Server and  
XWayland, the worst of which can result in remote code execution.

Background  
==========

The X Window System is a graphical windowing system based on a  
client/server model.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  x11-base/xorg-server       < 21.1.4                    >= 21.1.4  
  2  x11-base/xwayland          < 22.1.3                    >= 22.1.3

Description  
===========

Multiple vulnerabilities have been discovered in X.Org X server and  
XWayland. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All X.Org X server users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-21.1.4"

All XWayland users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xwayland-22.1.3"

References  
==========

[ 1 ] CVE-2022-2319  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2319  
[ 2 ] CVE-2022-2320  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2320

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-30

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-30

Gentoo Linux Security Advisory 202210-29 - Multiple vulnerabilities have been discovered in Net-SNMP, the worst of which could result in denial of service. Versions less than 5.9.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-29  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Net-SNMP: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #855500  
       ID: 202210-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Net-SNMP, the worst of  
which could result in denial of service.

Background  
==========

Net-SNMP is a suite of applications used to implement the Simple Network  
Management Protocol.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-analyzer/net-snmp      < 5.9.2                      >= 5.9.2

Description  
===========

Multiple vulnerabilities have been discovered in Net-SNMP. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Net-SNMP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.9.2"

References  
==========

[ 1 ] CVE-2022-24805  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24805  
[ 2 ] CVE-2022-24806  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24806  
[ 3 ] CVE-2022-24807  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24807  
[ 4 ] CVE-2022-24808  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24808  
[ 5 ] CVE-2022-24809  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24809  
[ 6 ] CVE-2022-24810  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24810

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-29

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-29

Debian Linux Security Advisory 5264-1 - It was discovered that Apache Batik, a SVG library for Java, allowed attackers to run arbitrary Java code by processing a malicious SVG file.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5264-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyOctober 29, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : batikCVE ID         : CVE-2022-41704 CVE-2022-42890It was discovered that Apache Batik, a SVG library for Java, allowedattackers to run arbitrary Java code by processing a malicious SVG file.For the stable distribution (bullseye), these problems have been fixed inversion 1.12-4+deb11u1.We recommend that you upgrade your batik packages.For the detailed security status of batik please refer toits security tracker page at:https://security-tracker.debian.org/tracker/batikFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdoPxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSwixAAz3126lRuHpJFXreXL0dbIwiahb36LhtNx29gI7C5QkzFt49svIswJ7JM+n9GokhtggWNuyN7wF6fyQzH7VEZSYW9yzzoUbbduJoTnBArtwYyuKdfg1KnWl7h/Wzvd8JuyLtMDCXivlqNbatfenoipUclYtB7bupb+8YX71GKxh/vXU9kR6jS5eQLUnLk2SdbVMfwEna+KqEjt4yyS7SXWNJcMOVPbQLPhvjq8xMVAaShxNjn0hk7gGEtH2TBFSp7UcX8kmuPCES/70t8cS7jiA8FjRRz1M8Lf12SZGLbCCtZMQdlY4Lc0OP22Di2PTwSU0cg6dQJPR9zbXeBMA6Bff6hsCs4eFUugmPE28N7zSs4cjiNvn//+Kf4C/unsaOMR6bony/z9AqjxjvYv34h3AVd0/8Bg9GLe6kYX38EaY7D/biiZKPgbkQzXo6DU7rm8fFEGcTj/1yY+ScgznkfPob6QYLpT+b0jF+KpLPfA/Lz2bOh2DNHUVV9hKLC3t8i02KPhxrwbbpeJ7L7F8o/Giw0Ho6m0RLCTm2+sR57t7cHF9B0PH7qZRsgMp4GSrydeUUK8SZGMus1NnSmqbfd4GiY2Wohd3GiN+YqIK4lWbhNi3RZg2VFaGsVRRVtnBAgaCCZcd0BjvNEIpOoPXro97I0lqwKiAqBnKZobh86/dU==yzAL-----END PGP SIGNATURE-----

Debian Security Advisory 5264-1

Gentoo Linux Security Advisory 202210-28 - A vulnerability has been discovered in exif which could result in denial of service. Versions less than 0.6.22 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-28  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: exif: Denial of Service  
     Date: October 31, 2022  
     Bugs: #783522  
       ID: 202210-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in exif which could result in denial  
of service.

Background  
==========

libexif is a library for parsing, editing and saving Exif metadata from  
images. exif is a small command line interface for libexif.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-gfx/exif             < 0.6.22                    >= 0.6.22

Description  
===========

There is a bug in exif's XML output format which can result in a null  
pointer dereference when outputting crafted JPEG EXIF data.

Impact  
======

A crafted JPEG image can trigger a denial of service in the form of a  
null pointer dereference.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All exif users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/exif-0.6.22"

References  
==========

[ 1 ] CVE-2021-27815  
      https://nvd.nist.gov/vuln/detail/CVE-2021-27815

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-28

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-28

Gentoo Linux Security Advisory 202210-27 - A vulnerability has been discovered in open-vm-tools which could allow for local privilege escalation. Versions less than 12.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-27  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: open-vm-tools: Local Privilege Escalation  
     Date: October 31, 2022  
     Bugs: #866227  
       ID: 202210-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in open-vm-tools which could allow  
for local privilege escalation.

Background  
==========

open-vm-tools contains tools for VMware guests.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-emulation/open-vm-tools  < 12.1.0                  >= 12.1.0

Description  
===========

A pipe accessible to unprivileged users in the VMWare guest does not  
sufficiently sanitize input.

Impact  
======

An unprivileged guest user could achieve root privileges within the  
guest.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All open-vm-tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/open-vm-tools-12.1.0"

References  
==========

[ 1 ] CVE-2022-31676  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31676  
[ 2 ] VMSA-2022-0024.1

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-27

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#linux