Red Team

**Name of the Vulnerable Software and Affected Versions** abrt-dbus (affected versions not specified) **Description** A time-of-check time-of-use (TOCTOU) race condition exists in the `SetElement()` method of the abrt-dbus D-Bus service. A TOCTOU race condition occurs when a program checks a condition (such as a file's existence or permissions) and then performs an action based on that check, but the condition changes between the check and the action. In this case, between the creation of the dump directory and the execution of the post-create event, a local user can call `SetElement()` to write arbitrary text files into the root-owned dump directory. This allows the bypass of package validation, enabling crashes of unpackaged binaries to survive post-create processing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libreport (affected versions not specified) **Description** A symlink following issue exists in the ABRT post-create event handler scripts. These scripts write output files using shell redirections without the `O NOFOLLOW` flag (a flag that prevents a file from being opened if it is a symbolic link). If a target file is replaced with a symlink, the shell process running with root privileges follows the link and writes content to the target, enabling arbitrary file overwrites on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libreport (affected versions not specified) **Description** A content injection issue exists in the ABRT post-create event handler scripts within libreport. The event script retrieves log entries from the systemd journal for crashed processes and writes them to files in the dump directory. Because embedded control characters are not sanitized, a local user can inject arbitrary content into the journal output by including newline characters in syslog messages, allowing them to control the content written to dump directory files by the root user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Uderzo Software SpaceSniffer version 2.0.5.18 **Description** A buffer overflow issue exists in Uderzo Software SpaceSniffer version 2.0.5.18. A remote attacker can potentially execute arbitrary code by providing a specially crafted `.sns` snapshot file. The issue involves a buffer overflow when processing the `.sns` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.