Jakub Wilk

**Name of the Vulnerable Software and Affected Versions** Python versions 3.12 and later **Description** This vulnerability allows modification of file metadata (e.g., last modified) or file permissions of files outside the intended extraction directory when using the `tarfile` module to extract untrusted tar archives with the `filter="data"` or `filter="tar"` options. For Python 3.14 and later, the default value of the `filter` parameter changed to `"data"`. **Recommendations** Update to a newer version of Python. Specifically, the following package versions address the vulnerability: * `idle-python3.12 - 3.12.7-1ubuntu2.2` * `libpython3.12-dev - 3.12.7-1ubuntu2.2` * `libpython3.12-minimal - 3.12.7-1ubuntu2.2` * `libpython3.12-stdlib - 3.12.7-1ubuntu2.2` * `libpython3.12-testsuite - 3.12.7-1ubuntu2.2` * `libpython3.12t64 - 3.12.7-1ubuntu2.2` * `python3.12 - 3.12.7-1ubuntu2.2` * `python3.12-dev - 3.12.7-1ubuntu2.2` * `python3.12-doc - 3.12.7-1ubuntu2.2` * `python3.12-examples - 3.12.7-1ubuntu2.2` * `python3.12-full - 3.12.7-1ubuntu2.2` * `python3.12-gdbm - 3.12.7-1ubuntu2.2` * `python3.12-minimal - 3.12.7-1ubuntu2.2` * `python3.12-nopie - 3.12.7-1ubuntu2.2` * `python3.12-tk - 3.12.7-1ubuntu2.2` * `python3.12-venv - 3.12.7-1ubuntu2.2` * `idle-python3.13 - 3.13.0-1ubuntu0.3` * `libpython3.13 - 3.13.0-1ubuntu0.3` * `libpython3.13-dev - 3.13.0-1ubuntu0.3` * `libpython3.13-minimal - 3.13.0-1ubuntu0.3` * `libpython3.13-stdlib - 3.13.0-1ubuntu0.3` * `libpython3.13-testsuite - 3.13.0-1ubuntu0.3` * `python3.13 - 3.13.0-1ubuntu0.3` * `python3.13-dev - 3.13.0-1ubuntu0.3` * `python3.13-doc - 3.13.0-1ubuntu0.3` * `python3.13-examples - 3.13.0-1ubuntu0.3` * `python3.13-full - 3.13.0-1ubuntu0.3` * `python3.13-gdbm - 3.13.0-1ubuntu0.3` * `python3.13-minimal - 3.13.0-1ubuntu0.3` * `python3.13-nopie - 3.13.0-1ubuntu0.3` * `python3.13-tk - 3.13.0-1ubuntu0.3` * `python3.13-venv - 3.13.0-1ubuntu0.3`

**Name of the Vulnerable Software and Affected Versions** libblockdev versions prior to 2.23-2ubuntu3+esm1 libblockdev versions prior to 3.1.1-2ubuntu0.1 libblockdev (affected versions not specified) **Description** A Local Privilege Escalation (LPE) issue exists in libblockdev due to how it interacts with the udisks daemon. The "allow active" setting in Polkit allows physically present users to perform specific actions based on their session type. While udisks typically mounts user-provided filesystem images using security flags such as `nosuid` and `nodev` to prevent privilege escalation, a local attacker can bypass these protections. By creating a specially crafted XFS image containing a SUID-root shell and tricking udisks into resizing it, the malicious filesystem is mounted with root privileges. This allows the attacker to execute the SUID-root shell and gain complete control of the target host. **Recommendations** Update to version 2.23-2ubuntu3+esm1. Update to version 3.1.1-2ubuntu0.1. Upgrade libblockdev packages to the latest available version.

**Name of the Vulnerable Software and Affected Versions** needrestart versions prior to 3.8 **Description** The issue is related to a race condition that allows local attackers to execute arbitrary code as root by tricking needrestart into running a fake Python interpreter. This is achieved by winning a race condition and substituting the system's real Python interpreter with a malicious one. The initial security fix introduced a regression, which was subsequently resolved. **Recommendations** For needrestart versions prior to 3.8, update to version 3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `usr/bin/python` file to prevent substitution with a malicious executable until a patch is applied.

Name of the Vulnerable Software and Affected Versions: less versions through 653 Description: The issue is related to incorrect handling of quotes in the filename.c file, which can allow an attacker to execute arbitrary commands. This typically requires the use of attacker-controlled file names, such as those extracted from an untrusted archive, and the LESSOPEN environment variable, which is set by default in many cases. Recommendations: For versions through 653, consider disabling the LESSOPEN environment variable as a temporary workaround until a patch is available. Restrict access to files with potentially malicious names to minimize the risk of exploitation. Avoid using less with untrusted archives or files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Flatpak versions prior to 1.10.8 Flatpak versions prior to 1.12.8 Flatpak versions prior to 1.14.4 Flatpak versions prior to 1.15.4 **Description** The issue is related to the ioctl component of the Flatpak tool for managing applications and environments. It involves copying text from a virtual console and pasting it into the command buffer, from which the command might be run after the Flatpak app has exited. This can lead to a denial of service. The vulnerability is specific to Linux virtual consoles such as `/dev/tty1`, `/dev/tty2`, and so on. Graphical terminal emulators like xterm, gnome-terminal, and Konsole are unaffected. **Recommendations** For versions prior to 1.10.8, update to version 1.10.8 or later. For versions prior to 1.12.8, update to version 1.12.8 or later. For versions prior to 1.14.4, update to version 1.14.4 or later. For versions prior to 1.15.4, update to version 1.15.4 or later. As a temporary workaround, do not run Flatpak on a Linux virtual console. Instead, use it in a Wayland or X11 graphical environment.

**Name of the Vulnerable Software and Affected Versions** debian-goodies version 0.88.1 **Description** The issue is related to the debmany function in the debian-goodies package, which allows attackers to execute arbitrary shell commands due to an eval call. This can be achieved via a crafted .deb file. The path is shown to the user before execution. The vulnerability is caused by the lack of measures to neutralize special elements used in the operating system command when processing .deb files, which can allow an attacker to execute arbitrary commands. **Recommendations** For version 0.88.1, consider disabling the `eval` call in the debmany function as a temporary workaround until a patch is available. Restrict access to the debmany function to minimize the risk of exploitation. Avoid using crafted .deb files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** needrestart versions 0.8 through 3.5 before 3.6 **Description** The issue is related to local privilege escalation. Regexes used to detect Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart checks if interpreters are using old source files. **Recommendations** For versions 0.8 through 3.5 before 3.6, update to version 3.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the regex detection feature for Perl, Python, and Ruby interpreters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Netsurf versions through 2.8 **Description** The issue is related to an information-disclosure vulnerability due to a world-readable cookie jar. **Recommendations** For versions through 2.8, update to a version where the cookie jar is not world-readable to mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 9base versions 1:6-6 through 1:6-7 **Description** The issue is related to the insecure creation of temporary files, resulting in predictable filenames. **Recommendations** For versions 1:6-6 through 1:6-7, consider implementing secure temporary file creation mechanisms to prevent predictable filenames. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** rc versions prior to 1.7.1-5 **Description** The issue is related to insufficient input validation in the Temp File Handler component of the Plan 9 rc command shell. This can be exploited by a remote attacker to create arbitrary temporary files. **Recommendations** For versions prior to 1.7.1-5, update to version 1.7.1-5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gamera versions prior to 3.4.1 **Description** The issue arises from the insecure creation of temporary files. **Recommendations** For versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** python-rply versions prior to 0.7.4 **Description** The issue is related to the insecure creation of temporary files. **Recommendations** For versions prior to 0.7.4, update to version 0.7.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** babiloo versions 2.0.9 through 2.0.10 **Description** The issue allows a local attacker to overwrite arbitrary files due to the creation of temporary files with predictable names when downloading and unpacking dictionary files. **Recommendations** For versions 2.0.9 through 2.0.10, update to version 2.0.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Crossroads version 2.81 **Description** The issue arises from improper handling of the /tmp directory during the build process of xr, allowing a local attacker to create a world-writable subdirectory in a specific location under /tmp. The attacker can then wait for a user process to copy xr into this subdirectory and subsequently replace the contents with a Trojan horse version of xr. **Recommendations** For Crossroads version 2.81, consider restricting access to the /tmp directory to prevent unauthorized modifications, and ensure that user processes copying xr into /tmp use secure and isolated temporary directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** myrepos versions through 1.20171231 **Description** The issue allows a malicious website operator or a Man-in-the-Middle (MitM) attacker to execute arbitrary code. This can be achieved by taking advantage of the fact that `webcheckout` in `myrepos` does not sanitize URLs passed to `git clone`. Demonstrated attacks include an "ext::sh -c" attack or an option injection attack. **Recommendations** For versions through 1.20171231, update to a version that sanitizes URLs passed to `git clone` to prevent arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** minizip versions prior to 1.1-5 **Description** The issue is related to a directory traversal vulnerability in the do extract currentfile function in miniunz.c in miniunzip. This vulnerability might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive. **Recommendations** For versions prior to 1.1-5, update to version 1.1-5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the do extract currentfile function in miniunz.c until a patch is available. Avoid using miniunzip to extract ZIP archives from untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** glibc versions 2.26 and earlier **Description** The issue is caused by an integer overflow in the implementation of the `posix memalign` in `memalign` functions, potentially leading to heap corruption. This could allow a remote attacker to cause a denial of service. The problem is related to a cyclic shift of a pointer, resulting in a memory overflow. **Recommendations** For glibc versions 2.26 and earlier, consider updating to a version later than 2.26 to resolve the issue. As a temporary workaround, consider restricting the use of the `memalign` function until a patch is available. Avoid using the `posix memalign` function in the affected glibc versions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** procmail version 3.22 **Description** The issue is a heap-based buffer overflow in the loadbuf function in formisc.c in formail, which can be exploited by remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted e-mail message. This is due to a hardcoded realloc size. **Recommendations** For procmail version 3.22, consider disabling the loadbuf function in formisc.c as a temporary workaround until a patch is available. Restrict access to the formail component to minimize the risk of exploitation. Avoid using the affected function to process e-mail messages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** mktexlsr versions 22855 through 36625 **Description** The issue allows local users to write to arbitrary files via a symlink attack. **Recommendations** For versions 22855 through 36625, consider restricting access to the mktexlsr utility until a patch is available. As a temporary workaround, avoid using mktexlsr with untrusted input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** UnRAR versions prior to 5.5.7 **Description** The issue is caused by an out-of-bounds read in the `EncodeFileName::Decode` call within the `Archive::ReadHeader15` function of the libunrar.a library in UnRAR. This can be exploited by a remote attacker to cause the application to crash. **Recommendations** For versions prior to 5.5.7, update to version 5.5.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `Archive::ReadHeader15` function until a patch is available.