Sebastian Krahmer

**Name of the Vulnerable Software and Affected Versions** fence-agents versions prior to 4.0.17 **Description** The issue is related to the fence cisco ucs.py script in fence-agents, which does not verify remote SSL certificates. This can potentially allow man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates. **Recommendations** For versions prior to 4.0.17, update to version 4.0.17 or later to resolve the issue. As a temporary workaround, consider disabling the fence cisco ucs.py script until a patch is available. Restrict access to the script to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** lightdm versions prior to 0.9.6 **Description** The issue allows a local user to potentially escalate privileges by overwriting root-owned files via a symlink. This is possible because lightdm writes in .dmrc and Xauthority files using root permissions while the files are in user-controlled folders. **Recommendations** For versions prior to 0.9.6, update to version 0.9.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** nginx (affected versions not specified) **Description** The issue concerns the nginx http proxy module, which does not verify the peer identity of the HTTPS origin server. This lack of verification could facilitate a man-in-the-middle attack (MITM). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** udisks versions prior to 1.0.3 **Description** The issue allows a local user to load arbitrary Linux kernel modules. **Recommendations** For versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** gdm3 versions 3.14.2 and possibly later **Description** The issue is an information leak that occurs before the screen lock. **Recommendations** For gdm3 version 3.14.2, update to a version that contains a fix for this issue, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cryptctl versions prior to 2.0 **Description** A malicious server could send RPC requests to overwrite files outside of the cryptctl key database. **Recommendations** For versions prior to 2.0, update to version 2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firejail versions prior to 0.9.44.6 Firejail 0.9.38.x LTS versions prior to 0.9.38.10 LTS **Description** The issue allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option, due to an incomplete fix for a previous issue. This is possible because Firejail does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero. **Recommendations** For Firejail versions prior to 0.9.44.6, update to version 0.9.44.6 or later. For Firejail 0.9.38.x LTS versions prior to 0.9.38.10 LTS, update to version 0.9.38.10 LTS or later.

**Name of the Vulnerable Software and Affected Versions** Firejail versions prior to 0.9.44.4 **Description** The issue allows context-dependent attackers to bypass a seccomp-based sandbox protection mechanism. This can be achieved via the --allow-debuggers argument when running on a Linux kernel before 4.8. **Recommendations** For Firejail versions prior to 0.9.44.4, update to version 0.9.44.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the --allow-debuggers argument until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firejail versions prior to 0.9.44.4 Firejail versions 0.9.38.x prior to 0.9.38.8 LTS **Description** The issue allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option, due to the software not considering the .Xauthority case during its attempt to prevent accessing user files with an euid of zero. **Recommendations** For Firejail versions prior to 0.9.44.4, update to version 0.9.44.4 or later. For Firejail versions 0.9.38.x prior to 0.9.38.8 LTS, update to version 0.9.38.8 LTS or later.

**Name of the Vulnerable Software and Affected Versions** Bubblewrap versions prior to 0.1.3 **Description** The issue allows local users to potentially gain privileges by attaching to the process. This can be demonstrated by sending commands to a PrivSep socket. **Recommendations** For versions prior to 0.1.3, update to version 0.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** setroubleshoot (affected versions not specified) **Description** The issue allows local users to bypass an intended container protection mechanism and execute arbitrary commands. This can be achieved by triggering an SELinux denial with a crafted file name, handled by the ` set tpath` function, or via a crafted `local id` or `analysis id` field in a crafted XML document to the `run fix` function. The vulnerability is related to the `subprocess.check output` and `commands.getstatusoutput` functions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** systemd versions prior to v229 **Description** A flaw in the systemd timers feature caused world-writable suid files to be created, allowing local attackers to escalate their privileges to root. The issue is related to the `/src/basic/fs-util.c` file. **Recommendations** For versions prior to v229, update to version v229 or later to resolve the issue. As a temporary workaround, consider restricting access to the systemd timers feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** setroubleshoot versions prior to 3.2.22 **Description** The issue is related to incorrect file name handling, which can be exploited by remote attackers to execute arbitrary commands by adding shell metacharacters to file names. This is specifically related to the `get rpm nvr by file path temporary` function in `util.py`. **Recommendations** For versions prior to 3.2.22, update to version 3.2.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the `get rpm nvr by file path temporary` function in `util.py` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Squid versions 3.x through 3.4.7 **Description** The issue allows remote attackers to obtain sensitive information or cause a denial of service, resulting in an out-of-bounds read and crash. This can be achieved via a crafted type in an ICMP or ICMP6 packet. **Recommendations** For Squid versions 3.x through 3.4.7, update to version 3.4.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** systemd versions prior to 37 **Description** The issue allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/. This is due to a problem in the session link x11 socket function in login/logind-session.c in systemd-logind. **Recommendations** For versions prior to 37, update to version 37 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux-PAM version 1.1.8 **Description** The issue concerns multiple directory traversal vulnerabilities in the pam timestamp module. These vulnerabilities allow local users to create arbitrary files or possibly bypass authentication. This can be achieved by including a .. (dot dot) in the `PAM RUSER` value to the `get ruser` function or the `PAM TTY` value to the `check tty` function, which is used by the `format timestamp name` function. **Recommendations** For Linux-PAM version 1.1.8, consider restricting the use of the pam timestamp module until a patch is available. As a temporary workaround, restrict access to the `get ruser` and `check tty` functions to minimize the risk of exploitation. Avoid using the `PAM RUSER` and `PAM TTY` values in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** cups-filters versions 1.0.41 through 1.0.50 **Description** The issue allows remote IPP printers to execute arbitrary commands via shell metacharacters in the model or PDL, related to System V interface scripts generated for queues. This can lead to a violation of confidentiality, integrity, and availability of protected information. **Recommendations** For versions 1.0.41 through 1.0.50, update to version 1.0.51 or later to resolve the issue. As a temporary workaround, consider restricting access to the `model` and `PDL` parameters in the IPP protocol to minimize the risk of exploitation. Avoid using shell metacharacters in these parameters until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libvirt versions 1.1.2 through 1.1.3 **Description** The issue allows local users to overwrite arbitrary files and possibly gain privileges via unspecified environment variables or command-line arguments. **Recommendations** For libvirt versions 1.1.2 through 1.1.3, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** systemd (affected versions not specified) hplip versions prior to 3.14.1 **Description** The issue involves a race condition in PolkitUnixProcess PolkitSubject, allowing local users to bypass access restrictions. This can be achieved through a setuid process or a pkexec process. Additionally, multiple vulnerabilities exist in the hplip package, which can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited locally. **Recommendations** For systemd, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For hplip versions prior to 3.14.1, update to version 3.14.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** spice-gtk versions 0.14 spice-gtk-python versions 0.14 spice-glib versions 0.14 spice-glib-devel versions 0.14 spice-gtk-devel versions 0.14 spice-gtk-debuginfo versions 0.14 spice-gtk-tools versions 0.14 **Description** The issue allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process. This can lead to a violation of confidentiality, integrity, and availability of protected information. The `polkit unix process new` API function is used insecurely, contributing to the vulnerability. **Recommendations** For spice-gtk version 0.14, consider disabling the `polkit unix process new` function until a patch is available. For spice-gtk-python version 0.14, restrict access to the `polkit unix process new` function to minimize the risk of exploitation. For spice-glib version 0.14, avoid using the `polkit unix process new` function in sensitive operations until the issue is resolved. For spice-glib-devel version 0.14, consider applying configuration changes to limit the impact of the vulnerability. For spice-gtk-devel version 0.14, restrict access to the vulnerable module to minimize the risk of exploitation. For spice-gtk-debuginfo version 0.14, consider disabling the `polkit unix process new` function until a patch is available. For spice-gtk-tools version 0.14, avoid using the `polkit unix process new` function in sensitive operations until the issue is resolved.