gentoo auto-resync : 23:06:2024 - 00:11:30

author: V3n3RiX <venerix@koprulu.sector> 2024-06-23 00:11:31 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2024-06-23 00:11:31 +0100
commit: bff543bb632933380da922cbfc07c67157d72d42 (patch)
tree: df2e5eebc3dbd8e29153ab3a869b3be8d9be9f19 /metadata/glsa
parent: 491d0101c89d81dec507f28215b3cb094800d600 (diff)
9 files changed, 235 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 42e56ef326dc..7235d7a12d62 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 574731 BLAKE2B 89caa0807b8cb3bb8f1cc5679dbe23ca4398827dd3b841269212eea4c56cfd057c2066dfc5853236e4134ffbd1bf10272359df656c88cc2dda1c7d6317ab1970 SHA512 68081b023a298180abb3d5c6ce33bd36fece32d1d6fe7d38f87edd236b3e70d2dc5c11f8a42561ff66103806af4278e08e0282649c4d9fe95a44f29ea0bc82b8
-TIMESTAMP 2024-06-21T22:40:39Z
+MANIFEST Manifest.files.gz 575523 BLAKE2B de41364df787e2652a1f6dda37e1513a8953f61c0ade9d1ba90db51415db460a2dd55ec567c2c851c28aaf7ffaa4763a80e748ea9a9d8f30ff1696ea4f17f233 SHA512 717db93df5303c6328fa1610a5166072155b52c981dab3121e3399b951cd8877d22fba9534692b8b7da38c227d9e195296abdf7536518c7808a22fe65a776a5f
+TIMESTAMP 2024-06-22T22:40:41Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmZ2AWdfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmZ3UulfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAd6Q//a+mnKuS0s3RNqG7vx0usFL2C7LrBrvu+7HTDdbD+0yYp6atS6qnFalMX
-QNL2vpwz0DMQYB1syeYlOgl7pyHK0Gl3T/ABfE7VGc6jo8CteFk9AUFfhLnaesTr
-+KnSVfidhbZXdV9bdTNSBuODk7trLyB7fZWW8Y1jo2w9FGRLt6E3Au9Ahqra5ySt
-mkRM1BZBnOS1j5gWycBAhBcpevou3uvV3rIvlpcM5zWsWHmS3RznDZFqTV7wnMLX
-amQ5jMskbpPVI5lRX7j8XaONRR1iAdxh+/V+6q+nq41w/EuoXyg3VpTaX09NkTot
-tsvEE1zyf4Qnzh0leASGecIweGc4IYU4pQ9iwg1Pkn/siLJSnEzSnPQl1QSGLv0K
-22JBnYSvK5ZLj7VV5iBcK69ZkPONDf4GOTEIJv3YG4obolZfug8M9UavPQCe8+IE
-0l1qm9aoUakSFqncK2Ss+Fa28ZTrX0pyjN5xEqwKKkEjEVdRkKHDDnYg37JAhpaB
-GM64FYL6tzgbw8vFeJSVDFFxyO6l5LRrULptL1gZ/s34azF5GcaLIODXDCV/oFZN
-GhFWuQZX0C9F9bx3yAuniTxkhXf4V32/j4FSBrmQoc/ML8VO37nvObe7x75PIfnE
-klB3hWsuxn7ORz43QUDCJCNpxe8LeH1soH9NzEv/lbk+hdaoNfg=
-=H7fn
+klBMjBAAtRo76cRpIbOl22uyRKvXwJ+b4MNVEfx34HtIBPPO7dcKCmY9XEsX0uVs
+aVZAqmPV/R+Hyr9GTnub6WG1j6aMx01plBe9pmo9BDjKy2uw2S0lS94OFGbv78o6
+QdV2IMLY4KCF19+fd5tkAmmFTx429XQNsWvb6f6G62rfRlMOmJm58+R3W9Jk/O9g
+xJNWvAT7Q88PA0Fnd54pNuxcXxU5Q6aziFjCmpYh5/0vJIjgEzu5L07d75vPCbK3
+o5rkYjqcbmLNMNxk2/S3AOQ7RnQ4kBcT/v17E42YFgtKTtmGYq/FPQgQLTd46vpW
+OCrzKmJ31cAG9I9zFWE6oZaAGfcPmPsepKP+XpupT0gGeU6jaRIj25R5G2bCchd5
+lknSDU8O3pK9cJ5zEs0AROK6WAdgtYN8fTf0xo6DBdhRO+n57l3VZnbbuMP4cxjC
+87nJwD4G0rNVnhYRQwBc7xufwfzuqCiCfMxEcRLyFzr9Zf4X26njSbDq53lXmjbn
+QHjTw0BXQd5qdXLufXU98MsiAcoiMddLMroHgf5eEiwQz7UdYRI3/NNx2Uh3zuot
+0zA+o39qlteS3KA0Ri36JMSQnBpzn50qqj77TsvNFWMiYxKJD0LwI7CaPdR8FQk7
+5HDM6bOAe3PzrsuUM+o8aYwwcCCbyiB1NgQOvAGWSLupjNIy6n8=
+=IdQI
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 539c52a99f3d..df7e9aa6f896 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202406-01.xml b/metadata/glsa/glsa-202406-01.xml
new file mode 100644
index 000000000000..b751481f5580
--- /dev/null
+++ b/metadata/glsa/glsa-202406-01.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202406-01">
+    <title>GLib: Privilege Escalation</title>
+    <synopsis>A vulnerability has been discovered in GLib, which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">glib</product>
+    <announced>2024-06-22</announced>
+    <revised count="1">2024-06-22</revised>
+    <bug>931507</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-libs/glib" auto="yes" arch="*">
+            <unaffected range="ge">2.78.6</unaffected>
+            <vulnerable range="lt">2.78.6</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>GLib is a library providing a number of GNOME&#39;s core objects and functions.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in GLib. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All GLib users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.78.6"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-34397">CVE-2024-34397</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-06-22T06:44:35.106379Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-06-22T06:44:35.109355Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202406-02.xml b/metadata/glsa/glsa-202406-02.xml
new file mode 100644
index 000000000000..e71b4a225fe0
--- /dev/null
+++ b/metadata/glsa/glsa-202406-02.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202406-02">
+    <title>Flatpak: Sandbox Escape</title>
+    <synopsis>A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape.</synopsis>
+    <product type="ebuild">flatpak</product>
+    <announced>2024-06-22</announced>
+    <revised count="1">2024-06-22</revised>
+    <bug>930202</bug>
+    <access>local</access>
+    <affected>
+        <package name="sys-apps/flatpak" auto="yes" arch="*">
+            <unaffected range="ge">1.14.6</unaffected>
+            <vulnerable range="lt">1.14.6</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Flatpak is a Linux application sandboxing and distribution framework.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in Flatpak. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Flatpak users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.6"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-32462">CVE-2024-32462</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-06-22T07:02:59.833368Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-06-22T07:02:59.837565Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202406-03.xml b/metadata/glsa/glsa-202406-03.xml
new file mode 100644
index 000000000000..ea0ecac3e1bf
--- /dev/null
+++ b/metadata/glsa/glsa-202406-03.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202406-03">
+    <title>RDoc: Remote Code Execution</title>
+    <synopsis>A vulnerability has been discovered in RDoc, which can lead to execution of arbitrary code.</synopsis>
+    <product type="ebuild">rdoc</product>
+    <announced>2024-06-22</announced>
+    <revised count="2">2024-06-22</revised>
+    <bug>927565</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="dev-ruby/rdoc" auto="yes" arch="*">
+            <unaffected range="ge">6.6.3.1</unaffected>
+            <vulnerable range="lt">6.6.3.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>RDoc produces HTML and command-line documentation for Ruby projects.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.
+
+When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All RDoc users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.6.3.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-27281">CVE-2024-27281</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-06-22T07:30:29.289298Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-06-22T07:30:29.293762Z">graaff</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202406-04.xml b/metadata/glsa/glsa-202406-04.xml
new file mode 100644
index 000000000000..cea7d0f601d5
--- /dev/null
+++ b/metadata/glsa/glsa-202406-04.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202406-04">
+    <title>LZ4: Memory Corruption</title>
+    <synopsis>A vulnerability has been discovered in LZ4, which can lead to memory corruption.</synopsis>
+    <product type="ebuild">lz4</product>
+    <announced>2024-06-22</announced>
+    <revised count="1">2024-06-22</revised>
+    <bug>791952</bug>
+    <access>local</access>
+    <affected>
+        <package name="app-arch/lz4" auto="yes" arch="*">
+            <unaffected range="ge">1.9.3-r1</unaffected>
+            <vulnerable range="lt">1.9.3-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>LZ4 is a lossless compression algorithm, providing compression speed &gt; 500 MB/s per core, scalable with multi-cores CPU. It features an extremely fast decoder, with speed in multiple GB/s per core, typically reaching RAM speed limits on multi-core systems.</p>
+    </background>
+    <description>
+        <p>An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash.</p>
+    </description>
+    <impact type="normal">
+        <p>The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All LZ4 users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3520">CVE-2021-3520</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-06-22T08:02:03.295621Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-06-22T08:02:03.298226Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202406-05.xml b/metadata/glsa/glsa-202406-05.xml
new file mode 100644
index 000000000000..622d3fc82eaf
--- /dev/null
+++ b/metadata/glsa/glsa-202406-05.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202406-05">
+    <title>JHead: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in JHead, the worst of which may lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">jhead</product>
+    <announced>2024-06-22</announced>
+    <revised count="1">2024-06-22</revised>
+    <bug>876247</bug>
+    <bug>879801</bug>
+    <bug>908519</bug>
+    <access>local</access>
+    <affected>
+        <package name="media-gfx/jhead" auto="yes" arch="*">
+            <unaffected range="ge">3.08</unaffected>
+            <vulnerable range="lt">3.08</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>JHead is an EXIF JPEG header manipulation tool.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in JHead. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All JHead users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.08"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6624">CVE-2020-6624</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6625">CVE-2020-6625</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-34055">CVE-2021-34055</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28550">CVE-2022-28550</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41751">CVE-2022-41751</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-06-22T08:28:39.822960Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-06-22T08:28:39.825887Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index da7f46a38817..34d83b1ed55f 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Fri, 21 Jun 2024 22:40:33 +0000
+Sat, 22 Jun 2024 22:40:37 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 4a7b6a9c71b0..63866c4fbb8e 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-23f9961964e4ef86fe4fed4e36f8f2cbe2b47dfe 1717006097 2024-05-29T18:08:17Z
+70a36362e8053f3760826b4ccce860e94299c700 1719044953 2024-06-22T08:29:13Z
author	V3n3RiX <venerix@koprulu.sector>	2024-06-23 00:11:31 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2024-06-23 00:11:31 +0100
commit	bff543bb632933380da922cbfc07c67157d72d42 (patch)
tree	df2e5eebc3dbd8e29153ab3a869b3be8d9be9f19 /metadata/glsa
parent	491d0101c89d81dec507f28215b3cb094800d600 (diff)