Rootup

**Name of the Vulnerable Software and Affected Versions** iccDEV versions prior to 2.3.1.2 **Description** iccDEV is a set of libraries and tools for interacting with ICC color management profiles. A heap-buffer-overflow issue exists in the `IccTagXml()` function in versions prior to 2.3.1.2. **Recommendations** Update to version 2.3.1.2 or later.

**Nome do software vulnerável e versões afetadas** Versões anteriores à 1.31.0 **Descrição** O problema decorre do fato de os arquivos locais não serem tratados corretamente como origens de segurança únicas, permitindo que solicitem indevidamente recursos de origem cruzada. Por exemplo, um arquivo local pode solicitar outros arquivos locais por meio de um documento XML. **Recomendações** Para versões anteriores à 1.31.0, atualize para a versão 1.31.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso a arquivos locais para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Xpdf version 3.04 **Description** The issue occurs due to a SIGSEGV in XRef::fetch in XRef.cc after many recursive calls to Catalog::countPageTree in Catalog.cc. **Recommendations** For Xpdf version 3.04, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MacDown version 0.7.1 **Description** The issue allows directory traversal, enabling the execution of arbitrary programs. This can be achieved by including a `file:///` or `../` substring in a shared note. **Recommendations** For MacDown version 0.7.1, consider avoiding the use of `file:///` or `../` substrings in shared notes until a fix is available. As a temporary workaround, restrict access to shared notes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Typora version 0.9.9.24.6 **Description** The issue allows directory traversal, enabling the execution of arbitrary programs. This can be achieved by including a `file:///` or `../` substring in a shared note. **Recommendations** For Typora version 0.9.9.24.6, consider avoiding the use of `file:///` or `../` substrings in shared notes until a patch is available. As a temporary workaround, restrict access to shared notes to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HTSlib version 1.8 **Description** A race condition exists in the cram/cram io.c file of HTSlib, potentially allowing local users to overwrite arbitrary files via a symlink attack. **Recommendations** For HTSlib version 1.8, consider restricting access to the cram io.c file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Exiv2 version 0.26 **Description** The issue is related to the misuse of the realpath function in the example code of Exiv2 on POSIX platforms, excluding Apple platforms where glibc is not used. This could potentially lead to a buffer overflow. **Recommendations** For Exiv2 version 0.26, consider applying a patch or fix to correctly use the realpath function to prevent potential buffer overflow issues. At the moment, there is no information about a newer version that contains a fix for this vulnerability.