Stephane Chazelas

**Nome do software vulnerável e versões afetadas** ksh versão 20120801 **Descrição** Foi identificada uma falha na forma como o ksh avalia determinadas variáveis de ambiente, permitindo que um invasor anule ou contorne restrições de ambiente para executar comandos de shell. Serviços e aplicativos que permitem que invasores remotos não autenticados forneçam uma dessas variáveis de ambiente podem permitir que eles explorem essa vulnerabilidade remotamente. **Recomendações** Para a versão 20120801 do ksh, considere restringir o uso de variáveis de ambiente que possam ser exploradas por invasores remotos até que um patch esteja disponível. Como solução temporária, limite a capacidade de serviços e aplicativos de aceitar variáveis de ambiente de fontes não autenticadas. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** zsh versions 5.4.2 and earlier **Description** The issue is related to a crash that occurs during the copy of an empty hash table in the zsh shell. This can be demonstrated using the `typeset -p` command. **Recommendations** For zsh versions 5.4.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sudo versions 1.8.20p1 and earlier **Description** The issue is related to insufficient input validation, specifically embedded newlines, in the `get process ttyname()` function. This can result in information disclosure and command execution. A remote attacker may exploit this to execute arbitrary commands and gain access to information. **Recommendations** For sudo versions 1.8.20p1 and earlier, consider restricting access to the `get process ttyname()` function until a patch is available. As a temporary workaround, limit the execution of commands that utilize this function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.12 **Description** The issue is related to errors in security settings of the Perl component in Mac OS X, allowing a local attacker to bypass the Taint-mode protection mechanism using a specially crafted environment variable. **Recommendations** For versions prior to 10.12, update to version 10.12 or later to resolve the issue. As a temporary workaround, consider restricting the use of environment variables to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** sudo versions prior to 1.8.12 **Description** The issue allows local users to open arbitrary files for read access by running a program within an sudo session. This can be demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives, but it does not allow viewing file contents. **Recommendations** For versions prior to 1.8.12, update to version 1.8.12 or later to resolve the issue. As a temporary workaround, consider restricting the use of sudo sessions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Squid versions 2.x through 3.x **Description** The issue is related to an off-by-one error in the `snmpHandleUdp` function, which can be exploited by remote attackers. This error occurs when a specially crafted UDP SNMP request is sent, leading to a heap-based buffer overflow. As a result, attackers can cause a denial of service, leading to a crash, or possibly execute arbitrary code. **Recommendations** For Squid versions 2.x through 3.x, consider disabling the SNMP port or restricting access to it until a patch is available. As a temporary workaround, avoid using the `snmpHandleUdp` function in the `snmp core.cc` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libpam-modules versions prior to 1.1.3-2ubuntu2.1 on Ubuntu 11.10 libpam-modules versions prior to 1.1.2-2ubuntu8.4 on Ubuntu 11.04 libpam-modules versions prior to 1.1.1-4ubuntu2.4 on Ubuntu 10.10 libpam-modules versions prior to 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS libpam-modules versions prior to 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS **Description** The issue allows local users to gain privileges by modifying the PATH environment variable to reference a malicious command. This can be achieved when using certain configurations, such as "session optional pam motd.so", in conjunction with the pam motd module in libpam-modules. The exploitation can be demonstrated via the uname command. **Recommendations** For libpam-modules versions prior to 1.1.3-2ubuntu2.1 on Ubuntu 11.10, update to version 1.1.3-2ubuntu2.1 or later. For libpam-modules versions prior to 1.1.2-2ubuntu8.4 on Ubuntu 11.04, update to version 1.1.2-2ubuntu8.4 or later. For libpam-modules versions prior to 1.1.1-4ubuntu2.4 on Ubuntu 10.10, update to version 1.1.1-4ubuntu2.4 or later. For libpam-modules versions prior to 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, update to version 1.1.1-2ubuntu5.4 or later. For libpam-modules versions prior to 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS, update to version 0.99.7.1-5ubuntu6.5 or later.

**Name of the Vulnerable Software and Affected Versions** libnss-db version 2.2.3pre1 **Description** The issue allows local users to obtain sensitive information via a symlink attack involving a setgid or setuid application that uses the libnss-db module. This occurs because the module reads the DB CONFIG file in the current working directory. **Recommendations** For libnss-db version 2.2.3pre1, consider restricting access to the DB CONFIG file to prevent unauthorized reading of sensitive information. As a temporary workaround, avoid using setgid or setuid applications that utilize the libnss-db module in environments where the DB CONFIG file could be accessed by unauthorized users.

**Name of the Vulnerable Software and Affected Versions** Apport versions prior to 0.108.4 on Ubuntu 8.04 LTS Apport versions prior to 0.119.2 on Ubuntu 8.10 Apport versions prior to 1.0-0ubuntu5.2 on Ubuntu 9.04 **Description** The issue allows local users to delete arbitrary files due to improper removal of files from the application's crash-report directory. **Recommendations** For Apport version prior to 0.108.4 on Ubuntu 8.04 LTS, update to version 0.108.4 or later. For Apport version prior to 0.119.2 on Ubuntu 8.10, update to version 0.119.2 or later. For Apport version prior to 1.0-0ubuntu5.2 on Ubuntu 9.04, update to version 1.0-0ubuntu5.2 or later.