Loïc Minier

Name of the Vulnerable Software and Affected Versions: xvfb-run version 1.6.1 Description: The issue allows local users to gain privileges by listing the process and its arguments, as the magic cookie (MCOOKIE) is placed on the command line. This is a problem in xvfb-run 1.6.1, affecting Debian GNU/Linux, Ubuntu, Fedora 10, and possibly other operating systems. Recommendations: For xvfb-run version 1.6.1, consider restricting access to the command line arguments to minimize the risk of exploitation. As a temporary workaround, avoid using the command line to list processes and their arguments until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.23.4 through 3.0.0 **Description** The issue allows remote attackers to execute arbitrary commands, likely involving shell metacharacters, via the -f option to the `Email::Send::Sendmail` function in the email in.pl script. **Recommendations** For Bugzilla versions 2.23.4 through 3.0.0, consider disabling the `Email::Send::Sendmail` function or restricting its use to prevent arbitrary command execution until a fix is available.