Brian M. Carlson

**Nome do software vulnerável e versões afetadas** Versões do Go anteriores à 1.17.11 Versões do Go anteriores à 1.18.3 **Descrição** A vulnerabilidade permite a injeção de código no Cmd.Start em os/exec, possibilitando a execução de quaisquer binários no diretório de trabalho com nomes “..com” ou “..exe” ao chamar `Cmd.Run`, `Cmd.Start`, `Cmd.Output` ou `Cmd.CombinedOutput` quando `Cmd.Path` não está definido. Isso ocorre no Windows. **Recomendações** Para versões do Go anteriores à 1.17.11, atualize para o Go 1.17.11 ou posterior para resolver o problema. Para versões do Go anteriores à 1.18.3, atualize para o Go 1.18.3 ou posterior para resolver o problema. Como solução alternativa temporária, considere definir `Cmd.Path` para um executável específico a fim de evitar a execução não intencional de binários no diretório de trabalho.

**Name of the Vulnerable Software and Affected Versions** Acon versions 1.0.5-5 through 1.0.5-7 **Description** The issue is related to multiple stack-based buffer overflows in files acon.c, menu.c, and child.c. This allows local users to execute arbitrary code via a long HOME environment variable or a large number of terminal columns. **Recommendations** For versions 1.0.5-5 through 1.0.5-7, consider restricting access to the affected files acon.c, menu.c, and child.c to minimize the risk of exploitation. As a temporary workaround, limit the length of the HOME environment variable and the number of terminal columns to prevent buffer overflows. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** a2ps versions 4.14 **Description** The issue concerns multiple vulnerabilities in the a2ps package of the Debian GNU/Linux operating system, which can be exploited to compromise the confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be performed remotely. Specifically, the fixps script in a2ps does not use the -dSAFER option when executing gs, allowing context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file. **Recommendations** For a2ps version 4.14, consider disabling the fixps script until a patch is available to prevent potential exploitation. Restrict access to the gs execution to minimize the risk of arbitrary file deletion or command execution. Avoid using crafted PostScript files in the affected a2ps version until the issue is resolved.