Simcha Kosman

**Apache bRPC and Affected Versions** Apache bRPC versions prior to 1.15.0 **Description** Apache bRPC contains a remote command injection flaw in the heap profiler built-in service. The `/pprof/heap` endpoint does not properly validate the `extra options` parameter, allowing attackers to execute arbitrary system commands. This vulnerability enables unauthenticated remote code execution, potentially leading to full system compromise, data theft, and service disruption. The issue stems from the direct concatenation of the unsanitized `extra options` parameter into a shell command executed with bRPC service privileges. Approximately 4,000 instances are exposed according to ZoomEye. Attackers can leverage this flaw to gain shell access, exfiltrate sensitive data, deploy malware, and move laterally within networks. The vulnerable parameter, `extra options`, is used in requests to the `/pprof/heap` API endpoint. **Recommendations** Upgrade to Apache bRPC version 1.15.0 or later. As a temporary workaround, disable the heap profiler in production. Restrict access to the `/pprof/heap` endpoint via network controls and authentication. Review access logs for `/pprof/heap` requests with suspicious `extra options` values. Inspect spawned processes and verify system integrity.

**Name of the Vulnerable Software and Affected Versions** libretro libretro-common (affected versions not specified) **Description** An out-of-bounds write issue exists in the `cdfs open cue track` function. This allows remote attackers to execute arbitrary code via a crafted `.cue` file. The issue occurs when a file path within the `.cue` file exceeds `PATH MAX LENGTH`. The `memcpy` function copies this path into a fixed-size buffer, leading to the write beyond the buffer's boundaries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** linenoise (affected versions not specified) **Description** A time-of-check to time-of-use (TOCTOU) issue exists in the `linenoiseHistorySave` function within the linenoise library. This flaw allows local attackers to overwrite arbitrary files and modify permissions by exploiting a symlink race condition. The race occurs between the `fopen("w")` operation on the history path and a subsequent `chmod()` operation on the same path. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: libretro RetroArch versions 1.18.0 through 1.20.0 Description: A flaw has been found in the `filestream vscanf` function of the `libretro-common/streams/file stream.c` file. This manipulation causes an out-of-bounds read. The attack needs to be launched locally. Recommendations: Upgrade to version 1.21.0 to mitigate this issue. Upgrade the affected component.

Name of the Vulnerable Software and Affected Versions: bulletphysics bullet3 versions prior to 3.26 Description: A stack-based buffer overflow exists in the `LoadOFF` function within bulletphysics bullet3. This issue allows remote attackers to execute arbitrary code by processing a crafted OFF file containing an overlong initial token. The vulnerability can be triggered directly through the VHACD test utility or indirectly via the `vhacd` function in PyBullet. Recommendations: Update to a version of bulletphysics bullet3 version 3.26 or later.

**Name of the Vulnerable Software and Affected Versions** Redis versions 7.0.0 through 8.0.2 **Description** Redis is an open source, in-memory database that persists on disk. A stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. The issue has been patched in version 8.0.2. **Recommendations** For versions 7.0.0 through 8.0.2, update to version 8.0.2 to resolve the issue. As a temporary workaround, consider disabling the redis-check-aof function until a patch is available. Restrict access to the vulnerable redis-check-aof module to minimize the risk of exploitation. Avoid using the `filepath` variable in the affected redis-check-aof function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FFmpeg version 7.1 **Description** The issue is an Unchecked Return Value, Out-of-bounds Read vulnerability that allows reading sensitive constants within an executable. This vulnerability is associated with program files, specifically the `af pan.C` file in the `libavfilter` directory. The issue was discovered by Simcha Kosman. **Recommendations** For FFmpeg version 7.1, update to a version that includes the fix committed at https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a to resolve the issue. As a temporary workaround, consider restricting access to sensitive constants within the executable until the update is applied.