Charles Stevenson

**Name of the Vulnerable Software and Affected Versions** OSH versions 1.7 through 1.7-14 **Description** The issue concerns multiple vulnerabilities in the OSH package of the Debian GNU/Linux operating system, which can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. A buffer overflow vulnerability exists in the environment variable substitution code, allowing local users to inject arbitrary environment variables, such as `LD PRELOAD`, via specially crafted pathname arguments. **Recommendations** For OSH versions 1.7 through 1.7-14, consider restricting access to sensitive environment variables to minimize the risk of exploitation. As a temporary workaround, avoid using environment variable substitutions in pathname arguments until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.