Simon Mcvittie

**Name of the Vulnerable Software and Affected Versions** snapd versions 2.54.2 **Description** The issue is related to a race condition in the snap-confine binary of the snapd utility, which can be exploited to gain root privileges by executing arbitrary code. This can be achieved by a local attacker bind-mounting their own contents inside the snap's private mount namespace, causing snap-confine to execute the code and resulting in privilege escalation. **Recommendations** For snapd version 2.54.2, update to version 2.54.3+18.04, 2.54.3+20.04, or 2.54.3+21.10.1 to resolve the issue. As a temporary workaround, consider restricting access to the `snap-confine` binary until a patch is available.

Name of the Vulnerable Software and Affected Versions: Flatpak versions 0.11.4 through 1.8.4 Flatpak versions 1.9.0 through 1.9.3 Description: A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. Recommendations: For versions 0.11.4 through 1.8.4, update to version 1.8.5 or later. For versions 1.9.0 through 1.9.3, update to version 1.9.4 or later. As a temporary workaround, consider preventing the `flatpak-portal` service from starting, but this mitigation will prevent many Flatpak apps from working correctly.

**Name of the Vulnerable Software and Affected Versions** GNOME gvfs versions prior to 1.38.3 GNOME gvfs versions 1.40.x prior to 1.40.2 GNOME gvfs versions 1.41.x prior to 1.41.3 **Description** The issue is related to errors in the authorization procedure of the GVFS subsystem in the GNOME desktop environment for Linux operating systems. A local attacker could connect to the D-Bus server socket and issue D-Bus method calls, potentially allowing them to exploit the vulnerability. The server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does. **Recommendations** For versions prior to 1.38.3, update to version 1.38.3 or later. For versions 1.40.x prior to 1.40.2, update to version 1.40.2 or later. For versions 1.41.x prior to 1.41.3, update to version 1.41.3 or later.

**Name of the Vulnerable Software and Affected Versions** Glib versions prior to 2.60.0 **Description** The issue is related to incorrect permission handling in the Glib library, specifically in the functions `g file make directory with parents` and `g file replace contents`. This can allow a remote attacker to elevate their privileges and gain access to files. The keyfile settings backend in GNOME GLib creates directories and files with improper permission restrictions, using 0777 permissions for directories and default file permissions for files. **Recommendations** For versions prior to 2.60.0, update to version 2.60.0 or later to resolve the issue. As a temporary workaround, consider restricting access to directories and files created using the `g file make directory with parents` and `g file replace contents` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Flatpak versions prior to 1.0.7 Flatpak versions 1.1.x Flatpak versions 1.2.x prior to 1.2.3 **Description** The issue is related to errors in handling file descriptors in the Flatpak application and environment management tool. Exploitation of this issue may allow an attacker to modify arbitrary executable files on the host side by running the `apply extra` script. The vulnerability exposes /proc in the apply extra script sandbox, which enables attackers to modify a host-side executable file. **Recommendations** For Flatpak versions prior to 1.0.7, update to version 1.0.7 or later. For Flatpak versions 1.1.x, update to version 1.2.3 or later. For Flatpak versions 1.2.x prior to 1.2.3, update to version 1.2.3 or later. As a temporary workaround, consider restricting access to the `apply extra` script until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ikiwiki versions prior to 3.20160506 **Description** A cross-site scripting (XSS) issue exists, potentially allowing remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message in the cgierror function in CGI.pm. **Recommendations** For versions prior to 3.20160506, update to version 3.20160506 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** python-dbusmock versions prior to 0.15.1 **Description** The issue allows an attacker to execute malicious code by supplying a .pyc file, potentially tricking the AddTemplate() D-Bus method call or the DBusTestCase.spawn server template() method into executing the malicious code. **Recommendations** For versions prior to 0.15.1, update to version 0.15.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the AddTemplate() D-Bus method call and the DBusTestCase.spawn server template() method to minimize the risk of exploitation. Avoid using these methods with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Midgard2 version 10.05.7.1 **Description** The default D-Bus access control rule in Midgard2 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges. **Recommendations** For Midgard2 version 10.05.7.1, consider modifying the D-Bus access control rule to restrict local users from sending arbitrary method calls or signals to any process on the system bus. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Bus versions 1.3.0 through 1.6.x before 1.6.24 D-Bus versions 1.8.x before 1.8.8 **Description** The issue is caused by an off-by-one error when running on a 64-bit system and the max message unix fds limit is set to an odd number. This allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure. The vulnerability can be exploited to compromise the confidentiality, integrity, and availability of protected information. **Recommendations** For D-Bus versions 1.3.0 through 1.6.x before 1.6.24, update to version 1.6.24 or later to resolve the issue. For D-Bus versions 1.8.x before 1.8.8, update to version 1.8.8 or later to resolve the issue. As a temporary workaround, consider setting the max message unix fds limit to an even number to prevent the off-by-one error.

**Name of the Vulnerable Software and Affected Versions** D-Bus versions 1.4.x through 1.6.x before 1.6.30 D-Bus versions 1.8.x before 1.8.16 D-Bus versions 1.9.x before 1.9.10 **Description** The issue is caused by synchronization errors when using a shared resource in the D-Bus interprocess communication system. Exploitation of this issue may allow an attacker to cause a denial of service due to the lack of functionality to check the source of the `ActivationFailure` signal. Local users can leverage a race condition involving sending an `ActivationFailure` signal before systemd responds, resulting in an activation failure error. **Recommendations** For D-Bus versions 1.4.x through 1.6.x before 1.6.30, update to version 1.6.30 or later. For D-Bus versions 1.8.x before 1.8.16, update to version 1.8.16 or later. For D-Bus versions 1.9.x before 1.9.10, update to version 1.9.10 or later.

**Name of the Vulnerable Software and Affected Versions** telepathy-idle versions prior to 0.1.15 **Description** The issue arises from inadequate verification of X.509 certificates. Specifically, it does not check (1) if the issuer is a trusted Certificate Authority (CA), (2) if the server hostname matches a domain name in the subject's Common Name (CN), or (3) the expiration date of the certificate. This oversight allows man-in-the-middle attackers to spoof SSL servers by using any valid certificate. **Recommendations** For versions prior to 0.1.15, update to version 0.1.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ioquake3 versions prior to r2253 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the /tmp/ioq3.pid temporary file. **Recommendations** For versions prior to r2253, update to version r2253 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.2.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in a divide-by-zero error and a kernel panic, through IGMP packets. This is due to the `igmp heard query` function in `net/ipv4/igmp.c`. **Recommendations** For Linux kernel versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to IGMP packets to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Net::Ping::External versions through 0.15 **Description** The issue is related to the lack of input sanitization in the Net::Ping::External extension for Perl, specifically with regards to shell metacharacters in arguments such as invalid hostnames. This allows for shell command injection and arbitrary command execution if untrusted input is used. The vulnerability can be exploited by a remote attacker to execute arbitrary commands using shell metacharacters. **Recommendations** For versions through 0.15, consider disabling the use of backticks in External.pm or restricting input to trusted sources until a patch is available. As a temporary workaround, avoid using untrusted input for the `hostname` variable in the affected API endpoint. Restrict access to the vulnerable Net::Ping::External extension to minimize the risk of exploitation.