Alexander Bergmann

**Name of the Vulnerable Software and Affected Versions** Linux PAM pam-config (affected versions not specified) **Description** A Local Privilege Escalation (LPE) flaw exists in pam-config within Linux Pluggable Authentication Modules (PAM). This issue allows an unprivileged local attacker, such as one connected via SSH, to acquire elevated privileges typically reserved for a physically present user with "allow active" status. Consequently, the attacker may perform Polkit actions marked as "allow active yes", which are generally restricted to console users, potentially leading to unauthorized control over system configurations, services, or other sensitive operations. Additionally, the Udisks component of the Linux-PAM authentication module may be affected by configuration errors that could allow an attacker to gain root privileges via SSH. **Recommendations** Update pam-config to stop adding `pam env` in the AUTH stack and ensure this module is placed at the end of the SESSION stack. Update pam to change the default behavior of `pam env` to not read the user `.pam environment` file. Update pam to ensure `pam namespace` functions operate on file descriptors instead of absolute paths when dealing with user-controlled paths.

**Name of the Vulnerable Software and Affected Versions** multipath-tools versions 0.7.0 through 0.9.x before 0.9.2 multipath-tools versions prior to 0.9.2 **Description** The issue is related to errors in privilege management, allowing an attacker to elevate their privileges to root. Local users who can write to UNIX domain sockets can bypass access controls and manipulate the multipath setup, leading to local privilege escalation. This occurs because an attacker can repeat a keyword, which is mishandled due to the use of arithmetic ADD instead of bitwise OR. **Recommendations** For multipath-tools versions 0.7.0 through 0.9.x before 0.9.2, update to version 0.9.2 or later to resolve the issue. For multipath-tools versions prior to 0.9.2, update to version 0.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to UNIX domain sockets to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** multipath-tools versions 0.7.7 through 0.9.x before 0.9.2 **Description** The issue is related to incorrect handling of symlinks in multipathd, allowing local users who can access /dev/shm to change symlinks. This could lead to controlled file writes outside of the /dev/shm directory, potentially allowing for local privilege escalation to root. The problem is associated with incorrect symlink handling before accessing a file, which could enable an attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For multipath-tools versions 0.7.7 through 0.9.x before 0.9.2, consider updating to version 0.9.2 or later to resolve the issue. As a temporary workaround, restrict access to /dev/shm to minimize the risk of exploitation. Additionally, consider disabling the multipathd service until a patch is applied to prevent potential abuse.

**Name of the Vulnerable Software and Affected Versions** AccountService version 0.6.37 **Description** An issue exists in the `user change password authorized cb()` function in user.c, which could let a local user obtain encrypted passwords. **Recommendations** For version 0.6.37, consider restricting access to the `user change password authorized cb()` function until a patch is available. As a temporary workaround, avoid using the `user change password authorized cb()` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** net-ldap gem versions prior to 0.16.2 **Description** The issue concerns the generation of SSHA passwords using a weak salt in the Ruby net-ldap gem. **Recommendations** For versions prior to 0.16.2, update to version 0.16.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 5.2.14 **Description** The issue is related to a NULL pointer dereference in the Linux kernel, specifically in the drivers/gpu/drm/amd/amdkfd/kfd interrupt.c component. This occurs because the alloc workqueue return value is not checked, leading to a potential denial of service. The security community disputes the severity of this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 5.2.14 **Description** The issue is related to a NULL pointer dereference in the Linux kernel, specifically in the radeon display driver. This occurs because the alloc workqueue return value is not checked, potentially leading to a crash. It is noted that the work queue allocation happens during device initialization, which for a graphics card, occurs during boot, and is not attacker controllable. Additionally, it is mentioned that exploitation of this issue could allow a local attacker to cause a denial of service. **Recommendations** For Linux kernel version 5.2.14, consider applying a patch that checks the return value of alloc workqueue to prevent NULL pointer dereferences. As a temporary workaround, ensure that the system has sufficient resources during boot to minimize the likelihood of out-of-memory conditions.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.7 **Description** The issue allows physically proximate attackers to cause a denial of service, resulting in a system crash, by utilizing a crafted no-journal filesystem. **Recommendations** For Linux kernel versions prior to 3.7, update to version 3.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenJPEG (affected versions not specified) **Description** A heap-based buffer overflow was found in the way OpenJPEG parsed certain image files from a JPEG2000 image. If a specially-crafted image were opened by an application linked against OpenJPEG, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.