Murray Mcallister

**Name of the Vulnerable Software and Affected Versions** Slackware versions 14.0 through 14.1 Slackware LLVM versions 3.0-i486-2 through 3.3-i486-2 **Description** The issue allows remote attackers to execute arbitrary code with root privileges due to world-writable permissions on the /tmp directory. **Recommendations** For Slackware versions 14.0 through 14.1, change the permissions of the /tmp directory to prevent world-writable access. For Slackware LLVM versions 3.0-i486-2 through 3.3-i486-2, modify the permissions of the /tmp directory to restrict unauthorized access.

**Name of the Vulnerable Software and Affected Versions** 9base versions 1:6-6 through 1:6-7 **Description** The issue is related to the insecure creation of temporary files, resulting in predictable filenames. **Recommendations** For versions 1:6-6 through 1:6-7, consider implementing secure temporary file creation mechanisms to prevent predictable filenames. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.11.5 **Description** The issue concerns the `vmw gb surface define ioctl` function, accessible via the `DRM IOCTL VMW GB SURFACE CREATE` ioctl call, which does not properly initialize a `backup handle` variable. This allows local users to obtain sensitive information from uninitialized kernel memory by creating a GB surface with a previously allocated DMA buffer as a backup buffer, and then making a crafted ioctl call. **Recommendations** For Linux kernel versions prior to 4.11.5, update to version 4.11.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9.7 **Description** The issue is caused by an integer overflow in the `vc4 get bcl` function of the VideoCore DRM driver. This can be exploited by a local attacker using a specially crafted `VC4 SUBMIT CL` ioctl call with a malicious size value, potentially leading to a denial of service or other unspecified impacts. **Recommendations** For Linux kernel versions prior to 4.9.7, update to version 4.9.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `vc4 get bcl` function or the `VC4 SUBMIT CL` ioctl call to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Snoopy (affected versions not specified) Description: The issue in Snoopy allows remote attackers to execute arbitrary commands due to an incomplete fix. This is related to the ` httpsrequest` function. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Byzanz (affected versions not specified) **Description** The issue concerns a crafted Byzanz debug data recording (ByzanzRecording file) that can be used to cause a denial of service or possibly execute arbitrary code when played back using the byzanz-playback command. This is due to an out-of-bounds heap write in the GIF encoder. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** potrace version 1.11 **Description** The issue is related to multiple integer overflows that allow remote attackers to cause a denial of service, resulting in a crash. This is achieved by exploiting large dimensions in a BMP image, which triggers a buffer overflow. **Recommendations** For potrace version 1.11, consider updating to a newer version that addresses the integer overflows to prevent the denial of service and buffer overflow issues. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pbm212030 **Description** The issue is related to multiple buffer overflows that can be triggered by a crafted PBM image. This can cause a denial of service (crash) or possibly allow the execution of arbitrary code. The buffer overflows are related to (1) stream line data, which triggers a heap-based buffer overflow, and (2) vectors related to an internal intermediate heap-based buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lua versions 5.1 through 5.2.x before 5.2.3 **Description** The issue is caused by a buffer overflow in the vararg functions in ldo.c, allowing context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments. This can be exploited by a remote attacker using a large number of variable-length arguments. **Recommendations** For Lua versions 5.1 through 5.2.x before 5.2.3, update to version 5.2.3 or later to resolve the issue. As a temporary workaround, consider restricting the number of arguments passed to functions with a large number of fixed arguments to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libgfortran (affected versions not specified) **Description** The issue is related to multiple integer overflows in libgfortran, which could allow remote attackers to execute arbitrary code or cause a denial of service, resulting in a Fortran application crash. This is achieved through vectors related to array allocation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.6 **Description** The issue is related to a function `cache invalidate` in the `mod cache` module. It allows remote HTTP servers to cause a denial of service, resulting in a daemon crash due to a NULL pointer dereference. This occurs when a caching forward proxy is enabled and a missing hostname value is triggered. The estimated number of potentially affected devices is not provided. **Recommendations** For Apache HTTP Server version 2.4.6, update to version 2.4.7 or later to resolve the issue. As a temporary workaround, consider disabling the `cache invalidate` function in the `mod cache` module until a patch is available. Restrict access to the caching forward proxy configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lynis versions prior to 1.5.5 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.*.unsorted file with an easily determined name. **Recommendations** For versions prior to 1.5.5, update to version 1.5.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Lynis version 1.5.4 and earlier **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.##### file in the include/tests webservers component of Lynis. **Recommendations** For versions prior to 1.5.5, consider updating to version 1.5.5 or later to resolve the issue. As a temporary workaround, restrict access to the /tmp directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flag module versions 7.x-3.0 through 7.x-3.5 **Description** The issue allows remote authenticated administrators to execute arbitrary PHP code via the "Flag import code" text area in the `/admin/structure/flags/import` API endpoint. This could potentially be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page. **Recommendations** For Flag module versions 7.x-3.0 through 7.x-3.5, consider disabling the `flag import form validate` function until a patch is available to prevent exploitation. Restrict access to the `/admin/structure/flags/import` endpoint to minimize the risk of arbitrary PHP code execution. Avoid using the `Flag import code` text area in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** elfutils versions 0.153 through 0.158 **Description** The issue is related to an integer overflow in the `check section` function within the libdw library, used by elfutils. This overflow can be triggered by a malformed compressed debug section in an ELF file, leading to a heap-based buffer overflow. As a result, remote attackers may cause a denial of service, such as an application crash, or potentially execute arbitrary code. **Recommendations** For elfutils versions 0.153 through 0.158, consider updating to a version where this issue is fixed, as using a malformed compressed debug section in an ELF file could lead to a denial of service or code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cups-filters versions 1.0.41 through 1.0.50 **Description** The issue allows remote IPP printers to execute arbitrary commands via shell metacharacters in the model or PDL, related to System V interface scripts generated for queues. This can lead to a violation of confidentiality, integrity, and availability of protected information. **Recommendations** For versions 1.0.41 through 1.0.50, update to version 1.0.51 or later to resolve the issue. As a temporary workaround, consider restricting access to the `model` and `PDL` parameters in the IPP protocol to minimize the risk of exploitation. Avoid using shell metacharacters in these parameters until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.16 **Description** The issue allows remote attackers to execute arbitrary SQL commands via unspecified parameters to various functions, including `mc project get attachments` in `api/soap/mc project api.php`, `news get limited rows` in `core/news api.php`, and several functions in `core/summary api.php` and `plugins/MantisGraph/core/graph api.php`. This is related to the use of the `db query` function. **Recommendations** For versions prior to 1.2.16, update to version 1.2.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints and functions, such as `/api/soap/mc project api.php` and `core/news api.php`, until a patch is available. Avoid using unspecified parameters in the affected functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** cups-filters versions prior to 1.0.53 **Description** The issue involves multiple vulnerabilities in the cups-filters package that can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, there are multiple integer overflows in the pdftoopvp filter, which can allow remote attackers to execute arbitrary code via a crafted PDF file, triggering a heap-based buffer overflow. **Recommendations** For versions prior to 1.0.53, update to version 1.0.53 or later to resolve the issue. As a temporary workaround, consider restricting access to the pdftoopvp filter until a patch is available. Avoid using the cups-filters package with untrusted PDF files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** IcedTea-Web versions prior to 1.4.2 **Description** The issue affects the LiveConnect implementation, allowing local users to intercept communication between a Java applet and a web browser. This is achieved by pre-creating a temporary socket file with a predictable name in /tmp, enabling the user to read the messages exchanged between the applet and the browser. **Recommendations** For versions prior to 1.4.2, update to version 1.4.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** fwsnort versions prior to 1.6.4 **Description** The issue allows local users to execute arbitrary code via a Trojan horse fwsnort.conf in the current working directory when fwsnort is not running as root. **Recommendations** For versions prior to 1.6.4, update to version 1.6.4 or later to resolve the issue. As a temporary workaround, consider running fwsnort as root to minimize the risk of exploitation. Restrict access to the fwsnort.conf file to prevent unauthorized modifications.