Salvatore Bonaccorso

**Nome do software vulnerável e versões afetadas** Versões do needrestart anteriores à 3.8 **Descrição** O problema está relacionado a uma condição de corrida que permite que invasores locais executem código arbitrário como root, induzindo o needrestart a executar um interpretador Python falso. Isso é conseguido ao vencer a condição de corrida e substituir o interpretador Python real do sistema por um malicioso. A correção de segurança inicial introduziu uma regressão, que foi posteriormente resolvida. **Recomendações** Para versões do needrestart anteriores à 3.8, atualize para a versão 3.8 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso ao arquivo `usr/bin/python` para impedir a substituição por um executável malicioso até que um patch seja aplicado.

**Name of the Vulnerable Software and Affected Versions** GNU tar versions prior to 1.35 **Description** The issue arises from mishandled extension attributes in a PAX archive, which can cause an application crash in xheader.c. **Recommendations** For GNU tar versions prior to 1.35, update to version 1.35 or later to resolve the issue.

**Nome do software vulnerável e versões afetadas** Shibboleth Service Provider, versões 3.x a 3.2.1 **Descrição** O problema envolve uma falha de desreferência de ponteiro NULL no recurso de recuperação de sessão do Shibboleth Service Provider. Essa falha pode ser explorada para causar a falha do daemon em sistemas que não utilizam o recurso de recuperação de sessão, mediante o envio de um cookie malicioso. A exploração dessa falha pode permitir que um invasor remoto cause uma negação de serviço. **Recomendações** Para as versões 3.x a 3.2.1 do Shibboleth Service Provider, atualize para a versão 3.2.2 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o acesso ao recurso de recuperação de sessão até que um patch esteja disponível.

**Nome do software vulnerável e versões afetadas** Versões 2.8.9 e anteriores do Lynx **Descrição** O problema está relacionado ao tratamento incorreto do subcomponente userinfo de um URI, permitindo que invasores remotos descubram credenciais em texto simples, uma vez que estas podem aparecer nos dados SNI ou nos cabeçalhos HTTP. Isso pode permitir que um invasor remoto acesse dados confidenciais. **Recomendações** Para as versões 2.8.9 e anteriores, atualize para uma versão que corrija o problema de tratamento do subcomponente userinfo, a fim de impedir que credenciais em texto simples sejam expostas nos dados SNI ou nos cabeçalhos HTTP. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Versões do libvirt anteriores à 6.0.0 **Descrição** O problema está relacionado ao tratamento incorreto da retenção de uma tarefa de monitoramento durante uma consulta a um agente convidado no arquivo qemu/qemu driver.c. Isso permite que invasores provoquem uma negação de serviço, resultando no bloqueio da API. **Recomendações** Para versões anteriores à 6.0.0, atualize para a versão 6.0.0 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o acesso à funcionalidade de consulta do agente convidado para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Node-cookie-signature versions prior to 1.0.6 **Description** The issue is related to a timing attack due to the use of a fail-early comparison instead of a constant-time comparison in the `cookie-signature` module. This type of comparison allows attackers to exploit miniscule timing differences, providing per-character feedback on the correctness of a guess. As a result, the entropy gained from increased secret length is reduced, enabling an attacker to guess the secret in a significantly lower number of attempts. **Recommendations** Update to version 1.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** libsoup versions 2.65.1 through 2.68.1 **Description** The issue is caused by a heap-based buffer over-read in the `soup ntlm parse challenge()` function, located in `soup-auth-ntlm.c`, which fails to properly check the length of an NTLM message before performing a `memcpy`. This can allow a remote attacker to impact the integrity, confidentiality, and availability of protected information. **Recommendations** For versions 2.65.1 through 2.68.1, consider disabling the `soup ntlm parse challenge()` function as a temporary workaround until a patch is available. Restrict access to NTLM authentication to minimize the risk of exploitation. Avoid using NTLM authentication in the affected `libsoup` versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DOSBox versions 0.74-2 **Description** The issue is related to insufficient access control in the emulator. Exploitation of this issue may allow a remote attacker to impact data integrity, gain access to confidential data, and cause a denial of service. **Recommendations** For DOSBox versions 0.74-2, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OnionShare versions 1.3.1 and earlier **Description** The issue concerns the `debug mode` function in `web/web.py`, which uses the `/tmp/onionshare server.log` pathname for logging when `--debug` is enabled. This might allow local users to overwrite files or obtain sensitive information by using this pathname. **Recommendations** For OnionShare versions 1.3.1 and earlier, as a temporary workaround, consider disabling the `debug mode` function until a patch is available. Restrict access to the `/tmp/onionshare server.log` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PolicyKit versions 0.115 **Description** The issue is related to errors in handling large user ID values (exceeding INT MAX) in the PolicyKit platform, which can lead to the execution of any systemctl command. This can allow an attacker to bypass authentication procedures. **Recommendations** For PolicyKit version 0.115, update to a version that fixes this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPMailer versions prior to 5.2.27 PHPMailer versions 6.x prior to 6.0.6 **Description** The issue is related to insufficient input validation in the PHPMailer library, allowing a remote attacker to perform an object injection attack. This could potentially lead to remote code execution. The vulnerability can be exploited by passing `phar://` paths into functions like `addAttachment()`, which may receive unfiltered local paths. It is reported that the estimated number of potentially affected devices is not provided. **Recommendations** For PHPMailer versions prior to 5.2.27, update to version 5.2.27 or later. For PHPMailer versions 6.x prior to 6.0.6, update to version 6.0.6 or later. As a temporary workaround, consider validating and sanitizing user input before using it, and block the use of paths containing URL-protocol style prefixes such as `phar://`.

Name of the Vulnerable Software and Affected Versions: LibTIFF version 4.0.9 Description: The issue is related to a NULL pointer dereference in the `LZWDecode` function. This can be exploited by a remote attacker using a specially crafted graphic file, potentially allowing the execution of arbitrary code or causing a denial of service. Recommendations: For LibTIFF version 4.0.9, consider disabling the `LZWDecode` function as a temporary workaround until a patch is available. Restrict the use of LibTIFF to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libmp4v2 version 2.1.0 **Description** The issue arises from the function `MP4Free()` in `mp4property.cpp`, which internally calls `free()` on an invalid pointer. This results in a SIGABRT signal being raised. **Recommendations** For libmp4v2 version 2.1.0, consider disabling the `MP4Free()` function as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libmp4v2 version 2.1.0 **Description** The issue arises from the function `mp4v2::impl::MP4Track::FinishSdtp()` in `mp4track.cpp`, which mishandles `compatibleBrand` while processing a crafted mp4 file. This leads to a heap-based buffer over-read, resulting in denial of service. **Recommendations** For libmp4v2 version 2.1.0, as a temporary workaround, consider disabling the `FinishSdtp()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Gitolite versions prior to 3.6.9 **Description** The issue arises from improper access restriction to a Git repository during migration, potentially allowing valid users to gain unintended access in certain configurations involving @all or a regex. **Recommendations** For versions prior to 3.6.9, update to version 3.6.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Artifex MuPDF version 1.13.0 **Description** The issue allows remote attackers to cause a denial of service, resulting in a segmentation fault, via a crafted pdf file. This occurs due to a problem in the `pdf get xref entry` function. **Recommendations** For Artifex MuPDF version 1.13.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Artifex MuPDF version 1.13.0 **Description** The issue allows remote attackers to cause a denial of service, resulting in a segmentation fault, by providing a crafted pdf file. This is due to an array-index underflow in the pdf dev alpha array in pdf/pdf-device.c. **Recommendations** For Artifex MuPDF version 1.13.0, consider avoiding the use of the fz append byte function in fitz/buffer.c until a patch is available. As a temporary workaround, restrict the processing of crafted pdf files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** LibTIFF version 4.0.9 **Description** The issue allows remote attackers to cause a denial of service, which is a heap-based buffer overflow and application crash, or possibly have other unspecified impacts via a crafted TIFF file. This can be demonstrated using tiff2pdf. **Recommendations** For LibTIFF version 4.0.9, update to a version that fixes the issue in the ChopUpSingleUncompressedStrip function in tif dirread.c to prevent a heap-based buffer overflow and application crash. As a temporary workaround, consider restricting the processing of crafted TIFF files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SquirrelMail versions prior to 1.4.23 **Description** The issue concerns the mail message display page in SquirrelMail, where an XSS attack can be performed using SVG animations, specifically by manipulating the `animate` attribute to execute malicious code. **Recommendations** For SquirrelMail versions prior to 1.4.23, update to version 1.4.23 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9.190 Linux kernel versions prior to 4.14.139 **Description** The issue is related to a change in the net/ipv4/tcp output.c component of the Linux kernel, which was incorrectly backported to earlier longterm kernels. This introduced a new vulnerability that can be exploited by a local attacker to trigger multiple use-after-free conditions by adding to a write queue between disconnection and re-connection. This can result in a kernel crash or potentially in privilege escalation. **Recommendations** For Linux kernel versions prior to 4.9.190, update to version 4.9.190 or later to resolve the issue. For Linux kernel versions prior to 4.14.139, update to version 4.14.139 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/ipv4/tcp output.c component to minimize the risk of exploitation.