Daniele Bianco

**Name of the Vulnerable Software and Affected Versions** kdenetwork-kopete-devel versions 4.10.5 kdenetwork-krdc versions 4.10.5 kdenetwork-kopete versions 4.10.5 kdenetwork versions 4.10.5 kdenetwork-krfb-libs versions 4.10.5 kdenetwork-kget-libs versions 4.10.5 kdenetwork-kdnssd versions 4.10.5 kdenetwork-krfb versions 4.10.5 kdenetwork-fileshare-samba versions 4.10.5 kdenetwork-devel versions 4.10.5 kdenetwork-common versions 4.10.5 kdenetwork-krdc-devel versions 4.10.5 kdenetwork-krdc-libs versions 4.10.5 kdenetwork-kget versions 4.10.5 kdenetwork-kopete-libs versions 4.10.5 kdenetwork-debuginfo versions 4.10.5 LibVNCServer versions 0.9.9 and earlier **Description** The issue is related to multiple vulnerabilities in various packages of the kdenetwork suite, which can lead to a disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely by an authenticated attacker. Additionally, there are stack-based buffer overflows in the File Transfer feature of LibVNCServer, which can cause a denial of service and possibly allow the execution of arbitrary code. **Recommendations** For kdenetwork-kopete-devel version 4.10.5, restrict access to the vulnerable components until a patch is available. For kdenetwork-krdc version 4.10.5, consider disabling the vulnerable features to minimize the risk of exploitation. For kdenetwork-kopete version 4.10.5, avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. For kdenetwork version 4.10.5, restrict access to the vulnerable modules to minimize the risk of exploitation. For kdenetwork-krfb-libs version 4.10.5, consider disabling the vulnerable functions until a patch is available. For kdenetwork-kget-libs version 4.10.5, avoid using the vulnerable variables in the affected API endpoints until the issue is resolved. For kdenetwork-kdnssd version 4.10.5, restrict access to the vulnerable components until a patch is available. For kdenetwork-krfb version 4.10.5, consider disabling the vulnerable features to minimize the risk of exploitation. For kdenetwork-fileshare-samba version 4.10.5, avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. For kdenetwork-devel version 4.10.5, restrict access to the vulnerable modules to minimize the risk of exploitation. For kdenetwork-common version 4.10.5, consider disabling the vulnerable functions until a patch is available. For kdenetwork-krdc-devel version 4.10.5, avoid using the vulnerable variables in the affected API endpoints until the issue is resolved. For kdenetwork-krdc-libs version 4.10.5, restrict access to the vulnerable components until a patch is available. For kdenetwork-kget version 4.10.5, consider disabling the vulnerable features to minimize the risk of exploitation. For kdenetwork-kopete-libs version 4.10.5, avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. For kdenetwork-debuginfo version 4.10.5, restrict access to the vulnerable modules to minimize the risk of exploitation. For LibVNCServer versions 0.9.9 and earlier, update to a version later than 0.9.9 to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LibVNCServer versions 0.9.9 and earlier **Description** The issue is related to an integer overflow in the MallocFrameBuffer function, which can be triggered by a remote VNC server advertising a large screen size. This can cause a heap-based buffer overflow, potentially leading to a denial of service (crash) and possibly allowing the execution of arbitrary code. The vulnerability may also allow a remote attacker to access confidential data, compromise its integrity, and cause a disruption of service. **Recommendations** For LibVNCServer versions 0.9.9 and earlier, consider disabling the MallocFrameBuffer function as a temporary workaround until a patch is available. Restrict access to the VNC server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNU Wget versions 1.12 and earlier wget versions prior to 1.12-r2 **Description** The issue allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename. This could possibly lead to the execution of arbitrary code as a consequence of writing to a dotfile in a home directory. Exploitation of this issue may lead to a breach of confidentiality, integrity, and availability of protected information and can be carried out remotely. **Recommendations** For GNU Wget versions 1.12 and earlier, update to a version later than 1.12 to resolve the issue. For wget versions prior to 1.12-r2, update to version 1.12-r2 or later to fix the problem. As a temporary workaround, consider disabling the use of server-provided filenames for determining the destination filename of a download until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libwww-perl versions prior to 5.835 **Description** The issue allows remote servers to create or overwrite files through a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename. This can possibly lead to the execution of arbitrary code as a consequence of writing to a dotfile in a home directory. The problem arises because the software does not reject downloads to filenames that begin with a . (dot) character. **Recommendations** For versions prior to 5.835, update to version 5.835 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `lwp-download` function to minimize the risk of exploitation. Avoid using the `lwp-download` function with untrusted URLs or servers until the issue is resolved.