Simon Mcvittie

**Nome do software vulnerável e versões afetadas** snapd versão 2.54.2 **Descrição** O problema está relacionado a uma condição de corrida no binário snap-confine do utilitário snapd, que pode ser explorada para obter privilégios de root através da execução de código arbitrário. Isso pode ser feito por um invasor local que monte por ligação (bind-mount) seu próprio conteúdo dentro do namespace de montagem privado do snap, fazendo com que o snap-confine execute o código e resultando em escalonamento de privilégios. **Recomendações** Para a versão 2.54.2 do snapd, atualize para a versão 2.54.3+18.04, 2.54.3+20.04 ou 2.54.3+21.10.1 para resolver o problema. Como solução alternativa temporária, considere restringir o acesso ao binário `snap-confine` até que um patch esteja disponível.

**Nome do software vulnerável e versões afetadas: Versões do Flatpak 0.11.4 a 1.8.4 Versões do Flatpak 1.9.0 a 1.9.3 Descrição: Foi descoberto um bug no serviço `flatpak-portal` que pode permitir que aplicativos em sandbox executem código arbitrário no sistema host. O serviço D-Bus do portal Flatpak (`flatpak-portal`, também conhecido pelo nome de serviço D-Bus `org.freedesktop.portal.Flatpak`) permite que aplicativos em uma sandbox Flatpak iniciem seus próprios subprocessos em uma nova instância de sandbox. Nas versões vulneráveis, o serviço do portal Flatpak passa variáveis de ambiente especificadas pelo chamador para processos fora da sandbox no sistema host e, em particular, para o comando `flatpak run`, usado para iniciar a nova instância da sandbox. Um aplicativo Flatpak malicioso ou comprometido poderia definir variáveis de ambiente confiáveis para o comando `flatpak run` e usá-las para executar código arbitrário que não esteja na sandbox. Recomendações: Para as versões 0.11.4 a 1.8.4, atualize para a versão 1.8.5 ou posterior. Para as versões 1.9.0 a 1.9.3, atualize para a versão 1.9.4 ou posterior. Como solução alternativa temporária, considere impedir que o serviço `flatpak-portal` seja iniciado, mas essa medida impedirá que muitos aplicativos Flatpak funcionem corretamente.

**Name of the Vulnerable Software and Affected Versions** GNOME gvfs versions prior to 1.38.3 GNOME gvfs versions 1.40.x prior to 1.40.2 GNOME gvfs versions 1.41.x prior to 1.41.3 **Description** The issue is related to errors in the authorization procedure of the GVFS subsystem in the GNOME desktop environment for Linux operating systems. A local attacker could connect to the D-Bus server socket and issue D-Bus method calls, potentially allowing them to exploit the vulnerability. The server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does. **Recommendations** For versions prior to 1.38.3, update to version 1.38.3 or later. For versions 1.40.x prior to 1.40.2, update to version 1.40.2 or later. For versions 1.41.x prior to 1.41.3, update to version 1.41.3 or later.

**Name of the Vulnerable Software and Affected Versions** Glib versions prior to 2.60.0 **Description** The issue is related to incorrect permission handling in the Glib library, specifically in the functions `g file make directory with parents` and `g file replace contents`. This can allow a remote attacker to elevate their privileges and gain access to files. The keyfile settings backend in GNOME GLib creates directories and files with improper permission restrictions, using 0777 permissions for directories and default file permissions for files. **Recommendations** For versions prior to 2.60.0, update to version 2.60.0 or later to resolve the issue. As a temporary workaround, consider restricting access to directories and files created using the `g file make directory with parents` and `g file replace contents` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Flatpak versions prior to 1.0.7 Flatpak versions 1.1.x Flatpak versions 1.2.x prior to 1.2.3 **Description** The issue is related to errors in handling file descriptors in the Flatpak application and environment management tool. Exploitation of this issue may allow an attacker to modify arbitrary executable files on the host side by running the `apply extra` script. The vulnerability exposes /proc in the apply extra script sandbox, which enables attackers to modify a host-side executable file. **Recommendations** For Flatpak versions prior to 1.0.7, update to version 1.0.7 or later. For Flatpak versions 1.1.x, update to version 1.2.3 or later. For Flatpak versions 1.2.x prior to 1.2.3, update to version 1.2.3 or later. As a temporary workaround, consider restricting access to the `apply extra` script until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ikiwiki versions prior to 3.20160506 **Description** A cross-site scripting (XSS) issue exists, potentially allowing remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message in the cgierror function in CGI.pm. **Recommendations** For versions prior to 3.20160506, update to version 3.20160506 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** python-dbusmock versions prior to 0.15.1 **Description** The issue allows an attacker to execute malicious code by supplying a .pyc file, potentially tricking the AddTemplate() D-Bus method call or the DBusTestCase.spawn server template() method into executing the malicious code. **Recommendations** For versions prior to 0.15.1, update to version 0.15.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the AddTemplate() D-Bus method call and the DBusTestCase.spawn server template() method to minimize the risk of exploitation. Avoid using these methods with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Midgard2 version 10.05.7.1 **Description** The default D-Bus access control rule in Midgard2 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges. **Recommendations** For Midgard2 version 10.05.7.1, consider modifying the D-Bus access control rule to restrict local users from sending arbitrary method calls or signals to any process on the system bus. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Bus versions 1.3.0 through 1.6.x before 1.6.24 D-Bus versions 1.8.x before 1.8.8 **Description** The issue is caused by an off-by-one error when running on a 64-bit system and the max message unix fds limit is set to an odd number. This allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure. The vulnerability can be exploited to compromise the confidentiality, integrity, and availability of protected information. **Recommendations** For D-Bus versions 1.3.0 through 1.6.x before 1.6.24, update to version 1.6.24 or later to resolve the issue. For D-Bus versions 1.8.x before 1.8.8, update to version 1.8.8 or later to resolve the issue. As a temporary workaround, consider setting the max message unix fds limit to an even number to prevent the off-by-one error.

**Name of the Vulnerable Software and Affected Versions** D-Bus versions 1.4.x through 1.6.x before 1.6.30 D-Bus versions 1.8.x before 1.8.16 D-Bus versions 1.9.x before 1.9.10 **Description** The issue is caused by synchronization errors when using a shared resource in the D-Bus interprocess communication system. Exploitation of this issue may allow an attacker to cause a denial of service due to the lack of functionality to check the source of the `ActivationFailure` signal. Local users can leverage a race condition involving sending an `ActivationFailure` signal before systemd responds, resulting in an activation failure error. **Recommendations** For D-Bus versions 1.4.x through 1.6.x before 1.6.30, update to version 1.6.30 or later. For D-Bus versions 1.8.x before 1.8.16, update to version 1.8.16 or later. For D-Bus versions 1.9.x before 1.9.10, update to version 1.9.10 or later.

**Name of the Vulnerable Software and Affected Versions** telepathy-idle versions prior to 0.1.15 **Description** The issue arises from inadequate verification of X.509 certificates. Specifically, it does not check (1) if the issuer is a trusted Certificate Authority (CA), (2) if the server hostname matches a domain name in the subject's Common Name (CN), or (3) the expiration date of the certificate. This oversight allows man-in-the-middle attackers to spoof SSL servers by using any valid certificate. **Recommendations** For versions prior to 0.1.15, update to version 0.1.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ioquake3 versions prior to r2253 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the /tmp/ioq3.pid temporary file. **Recommendations** For versions prior to r2253, update to version r2253 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.2.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in a divide-by-zero error and a kernel panic, through IGMP packets. This is due to the `igmp heard query` function in `net/ipv4/igmp.c`. **Recommendations** For Linux kernel versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to IGMP packets to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Net::Ping::External versions through 0.15 **Description** The issue is related to the lack of input sanitization in the Net::Ping::External extension for Perl, specifically with regards to shell metacharacters in arguments such as invalid hostnames. This allows for shell command injection and arbitrary command execution if untrusted input is used. The vulnerability can be exploited by a remote attacker to execute arbitrary commands using shell metacharacters. **Recommendations** For versions through 0.15, consider disabling the use of backticks in External.pm or restricting input to trusted sources until a patch is available. As a temporary workaround, avoid using untrusted input for the `hostname` variable in the affected API endpoint. Restrict access to the vulnerable Net::Ping::External extension to minimize the risk of exploitation.