Kevin Backhouse

Name of the Vulnerable Software and Affected Versions: Poppler versions prior to 25.06.0 Description: The issue is related to the use of `std::atomic int` for reference counting in the Poppler PDF rendering library. Since `std::atomic int` is only 32 bits, it is possible to overflow the reference count, which can trigger a use-after-free. Recommendations: For versions prior to 25.06.0, update to version 25.06.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** accountsservice (affected versions not specified) **Description** An unprivileged local attacker can trigger a use-after-free issue in accountsservice by sending a D-Bus message to the accounts-daemon process. This allows the attacker to potentially exploit the vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libssh versions 0.9.6 through 0.10.4 **Description** A vulnerability in the `pki verify data signature` function of the libssh library for client authentication is related to shortcomings in the authentication procedure. This issue may allow a remote attacker to bypass security restrictions and gain unauthorized access to protected information. The problem is caused by the return value `rc`, which is initialized to SSH ERROR and later rewritten to save the return value of the function call `pki key check hash compatible`. The value of the variable is not changed between this point and the cryptographic verification. Therefore, any error between them calls `goto error` returning SSH OK. **Recommendations** For libssh versions 0.9.6 through 0.10.4, consider disabling the `pki verify data signature` function as a temporary workaround until a patch is available. Restrict access to the affected authentication module to minimize the risk of exploitation. Avoid using the `pki key check hash compatible` function call in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** U-Boot versions through 2022.04 U-Boot versions through 2022.07-rc2 **Description** The issue is related to the `nfs lookup reply` function in `net/nfs.c`, which is part of the U-Boot bootloader for Linux-based embedded operating systems. It involves a buffer copy operation without proper input size validation, potentially leading to a buffer overflow. This could allow an attacker to execute arbitrary code. **Recommendations** For U-Boot versions through 2022.04, update to a version that includes a correct fix for the issue. For U-Boot versions through 2022.07-rc2, update to a version that includes a correct fix for the issue. As a temporary workaround, consider restricting access to the `nfs lookup reply` function in `net/nfs.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ubuntu versions prior to 0.6.55-0ubuntu12~20.04.5 Ubuntu versions prior to 0.6.55-0ubuntu13.3 Ubuntu versions prior to 0.6.55-0ubuntu14.1 Ubuntu 21.10 Ubuntu 21.04 Ubuntu 20.04 LTS **Description** The issue is related to a double-free memory corruption error in the accountsservice component of the Ubuntu operating system. This error occurs due to the fallback locale variable being freed in the user change language authorized cb function, which is reachable via the `SetLanguage` dbus function. The exploitation of this issue can allow an attacker to locally elevate privileges to root. **Recommendations** For Ubuntu versions prior to 0.6.55-0ubuntu12~20.04.5, update to version 0.6.55-0ubuntu12~20.04.5 or later. For Ubuntu versions prior to 0.6.55-0ubuntu13.3, update to version 0.6.55-0ubuntu13.3 or later. For Ubuntu versions prior to 0.6.55-0ubuntu14.1, update to version 0.6.55-0ubuntu14.1 or later. For Ubuntu 21.10, Ubuntu 21.04, and Ubuntu 20.04 LTS, update to the latest version that includes the fix for this issue. As a temporary workaround, consider restricting access to the `SetLanguage` dbus function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Flask-RESTX versions prior to 0.5.1 **Description** The issue is related to a Regular Expression Denial of Service (ReDoS) vulnerability in the `email regex` of Flask-RESTX. This vulnerability can be exploited, potentially leading to a denial of service. **Recommendations** For versions prior to 0.5.1, update to version 0.5.1 to resolve the issue. As a temporary workaround, consider restricting the use of the `email regex` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Exiv2 versions prior to v0.27.5 **Description** The issue is related to an infinite loop triggered when Exiv2 is used to read the metadata of a crafted image file. This could potentially be exploited by an attacker to cause a denial of service if they can trick the victim into running Exiv2 on a crafted image file. The vulnerability allows a remote attacker to cause a denial of service using a specially crafted image file. **Recommendations** For versions prior to v0.27.5, update to version v0.27.5 to resolve the issue. As a temporary workaround, consider avoiding the use of Exiv2 to read metadata from untrusted image files until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Exiv2 versions v0.27.4 and earlier **Description** The issue is related to an infinite loop in the Exiv2 library, which can be triggered when modifying the metadata of a crafted image file. This can potentially allow an attacker to cause a denial of service if they can trick the victim into running Exiv2 on a crafted image file. The bug is specifically triggered when deleting the IPTC data, which requires an extra command line option (`-d I rm`). **Recommendations** For Exiv2 versions v0.27.4 and earlier, update to version v0.27.5 to resolve the issue. As a temporary workaround, consider avoiding the use of the `-d I rm` command line option to minimize the risk of exploitation. Restrict access to the Exiv2 operation that requires this option to reduce the likelihood of an attacker triggering the infinite loop.

**Name of the Vulnerable Software and Affected Versions** Exiv2 versions v0.27.4 and earlier **Description** The issue is related to an infinite loop in the Exiv2 library, which can be triggered when printing the metadata of a specially crafted image file, potentially allowing a remote attacker to cause a denial of service. This bug is specifically triggered when printing the image ICC profile, a less frequently used operation that requires the extra command line option `-p C`. **Recommendations** For Exiv2 versions v0.27.4 and earlier, update to version v0.27.5 to resolve the issue. As a temporary workaround, consider avoiding the use of the `-p C` command line option to minimize the risk of exploitation. Restrict access to crafted image files to prevent potential denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** Exiv2 versions v0.27.4 and earlier **Description** The issue is related to an out-of-bounds read in the Exiv2 library, which can be triggered when reading the metadata of a specially crafted image file. This could potentially allow a remote attacker to cause a denial of service. The library is used for managing metadata of image files. **Recommendations** For Exiv2 versions v0.27.4 and earlier, update to version v0.27.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Polkit versions prior to 0.119 **Description** It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this issue is to data confidentiality and integrity as well as system availability. The `polkit system bus name get creds sync()` function of the dbus-daemon library is associated with insufficient access control, allowing an attacker to elevate their privileges. **Recommendations** Polkit version prior to 0.119: Update to Polkit version 0.119 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** apt versions 1.2.32ubuntu0 through 1.2.32ubuntu0.1 apt versions 1.6.12ubuntu0 through 1.6.12ubuntu0.1 apt versions 2.0.2ubuntu0 through 2.0.2ubuntu0.1 apt versions 2.1.10ubuntu0 through 2.1.10ubuntu0.0 **Description** The issue is related to integer overflows and underflows in the apt package manager while parsing .deb packages. This can be exploited to gain access to confidential data, disrupt data integrity, and cause a denial of service. The affected files are apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. **Recommendations** For apt version 1.2.32ubuntu0, update to version 1.2.32ubuntu0.2 or later. For apt version 1.6.12ubuntu0, update to version 1.6.12ubuntu0.2 or later. For apt version 2.0.2ubuntu0, update to version 2.0.2ubuntu0.2 or later. For apt version 2.1.10ubuntu0, update to version 2.1.10ubuntu0.1 or later.

**Name of the Vulnerable Software and Affected Versions** python-apt versions 1.1.0~beta1 through 1.1.0~beta1ubuntu0.16.04.9 python-apt versions 1.6.5ubuntu0 through 1.6.5ubuntu0.3 python-apt versions 2.0.0ubuntu0 through 2.0.0ubuntu0.20.04.1 python-apt versions 2.1.3ubuntu1 through 2.1.3ubuntu1.0 **Description** The issue is related to memory and file descriptor leaks found in the python-apt module, specifically in the files python/arfile.cc, python/tag.cc, and python/tarfile.cc. This can lead to a denial of service. The leaks are caused by the lack of resource release after its expiration. **Recommendations** For python-apt versions 1.1.0~beta1 through 1.1.0~beta1ubuntu0.16.04.9, update to version 1.1.0~beta1ubuntu0.16.04.10 or later. For python-apt versions 1.6.5ubuntu0 through 1.6.5ubuntu0.3, update to version 1.6.5ubuntu0.4 or later. For python-apt versions 2.0.0ubuntu0 through 2.0.0ubuntu0.20.04.1, update to version 2.0.0ubuntu0.20.04.2 or later. For python-apt versions 2.1.3ubuntu1 through 2.1.3ubuntu1.0, update to version 2.1.3ubuntu1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Aptdaemon versions prior to 1.1.1+bzr982-0ubuntu34.1 **Description** Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. **Recommendations** For versions prior to 1.1.1+bzr982-0ubuntu34.1, update to version 1.1.1+bzr982-0ubuntu34.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** aptdaemon versions prior to 1.1.1+bzr982-0ubuntu34.1 **Description** The aptdaemon DBus interface disclosed file existence by setting Terminal/DebconfSocket properties. **Recommendations** For versions prior to 1.1.1+bzr982-0ubuntu34.1, update to version 1.1.1+bzr982-0ubuntu34.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** gdm3 versions before 3.36.2 or 3.38.2 **Description** The issue allows a local user to potentially create a new privileged account on Ubuntu and its derivatives by exploiting a vulnerability in the GNOME Display Manager (GDM) when it cannot contact the accountservice service via dbus in a timely manner. This can be chained with another issue to achieve privilege escalation. The vulnerability is resolved in GNOME 3.36.2 and 3.38.2. **Recommendations** For gdm3 versions before 3.36.2, update to version 3.36.2 or later. For gdm3 versions before 3.38.2, update to version 3.38.2 or later. As a temporary workaround, consider restricting access to the accountservice service via dbus to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SANE Backends versions prior to 1.0.30 **Description** The issue is related to an out-of-bounds read in the SANE Backends interface, which provides access to scanning devices. This may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program. **Recommendations** For versions prior to 1.0.30, update to version 1.0.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the SANE Backends interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SANE Backends versions prior to 1.0.30 **Description** The issue is related to an out-of-bounds read that may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program. This could potentially provide access to confidential data. **Recommendations** For versions prior to 1.0.30, update to version 1.0.30 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SANE Backends versions prior to 1.0.30 **Description** The issue is related to a NULL pointer dereference in the `sanei epson net read` function of the SANE Backends interface, which provides access to raster image scanning devices. This can be exploited by a malicious device connected to the same local network as the victim, allowing the attacker to cause a denial of service. **Recommendations** For versions prior to 1.0.30, update to version 1.0.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the `sanei epson net read` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SANE Backends versions prior to 1.0.30 **Description** A heap buffer overflow in SANE Backends may allow a malicious device connected to the same local network as the victim to execute arbitrary code. The issue is related to the epsonds component of the sane-backends package and involves a buffer overflow in memory, which can be exploited by a remote attacker to execute arbitrary code or cause a denial of service. **Recommendations** For versions prior to 1.0.30, update to version 1.0.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the network to minimize the risk of exploitation by a malicious device.