From 5181ced3f3566a9610b85922b083c8f84f20d78f Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Wed, 8 May 2024 00:00:57 +0100 Subject: gentoo auto-resync : 08:05:2024 - 00:00:57 --- metadata/glsa/Manifest | 30 ++++++++++---------- metadata/glsa/Manifest.files.gz | Bin 572194 -> 572670 bytes metadata/glsa/glsa-202405-18.xml | 49 +++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202405-19.xml | 42 ++++++++++++++++++++++++++++ metadata/glsa/glsa-202405-20.xml | 58 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 7 files changed, 166 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-202405-18.xml create mode 100644 metadata/glsa/glsa-202405-19.xml create mode 100644 metadata/glsa/glsa-202405-20.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 3e851356a9bb..d234b6e408ad 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 572194 BLAKE2B 736dd063af339592e54b5eb6a96b21fa114076b32923b0103db465e82be98d9a5dc5a73f66156af8907ecc1ce8bcd1ef8a09c8d98208c594ebc2cd3109b3d410 SHA512 b7dadaeb677f04cc391368d9d0aea276a0639d56dc6eaec3d59d5bbc8046775a8cf34c4047312d631a6f118781f907bf1c585178c705c0b9200dac6163ecedbe -TIMESTAMP 2024-05-06T22:10:18Z +MANIFEST Manifest.files.gz 572670 BLAKE2B 53f887b1afdbde7318d64b5a2773bb5d9df44b119ad24b5683fbd2ae80615cb88bc0e858597f3342fc169482d9775591c1b93c38f6679166daa01f65e8ee2bd2 SHA512 e2ab6ec1262d65f9a9d9eec3c3a120c56903ac41761a8bd30674704a65d489d45a5909a6dcd6e413aa3493f4105d540fb62b8398ce239d745de856eaed58b752 +TIMESTAMP 2024-05-07T22:10:22Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmY5VUpfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmY6ps5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klC7HA//Q/IdUwO+Kpd3wfQxZDxUGt3meOmOY7Kw6/9LLQbPPKgwsdmuRELt8h9J -DrMQjFdaP9qNl301nsanZwQM+GOjFdmhoMU79aYGkE8AOTkXQwpQf060LbpBpiec -FhKdrqmZ/fwgCOkKWGH227opWjaebsFNqxks1CFSvETeaR3+WECvs6J9m4baOqOc -GzQR74AGjJ5bpLTuXDwu8R8C6pBJNi/wBgMkxygaj9L2l4/thjXigbxr3GvW2Sam -SXt5xAFQgE+kZ8LCeyQWjBsTb2G9dwU6ns1a2Oyn9UgMa2QeGSrthhJlYhvvJlSY -lj54O2580B1qyI6kCo5m9t2dOFQXOXPhKBChilYkqX33CYHR6S9oC7zeLA5gircT -qrLZ5x3By9gUXrKjqr0KDL/ceOWw9DM3U2cwEHxZBguUaje3K2SD8cvwvLXHp83J -FAAlpPIAyAEX6BMxyiwFQh8gsXpcyytErOs7my/Xc8qhgSiHTwt9J9O3NQPnxKji -hEo1vNjxuLTECTCq6kjzL5shH5VVvXARGNsTcqvimlKn2J7WGdsmBQEwLOIIXrA0 -WThbOvTu3tJ7NEQhOw4RizhlXCIqnogoEjlrHd3tnXt+4Bf7A/fyLImV/7+2Cl1r -9oL6dxCJLMI/Vz0VVVHd+6H5c9PsI/Eohb9Dm80P1IPeXMzeM0Y= -=bXMC +klB1/w//WJXneRPc+YVII9sGyLh9HqZPptD+DI9yXhadG1hzslhH6fD58XOkV6di +H8rWQvUUnwGbgjK4aTKB/NZ7XsUMeKLIw1YwuYGxfGU+jL68UJ96AuoApxhW5QtY +wymJHOQfMHF4Qzn45zdSXzCIV8SlcWYCdk8yh0paLuJZ/4ZPAViYcsKqrvUILsfK +9G72UFD3N5nqQGQSfUNtE9pyEY8uTFn9+seE/FvKhurVU26R7/6jIlsUqMK0XHvs +j0CHFP3eiQr0i5aC03OcxvZt9FTz94sGd18zxBwhAD/G1g1iCqNCs5u6PnR/BgL0 +7We8ERDW7Ia7fkI15w9AklrgEEGG2jL0udJ+qvx9xXzoPUf98iOmQy61/nUIcgR0 +lShfCnqfyyKZWEJbWUwJ/f6XuMRya5fM6LPni5qpTTcS3Atm1ee2Ju7Fi6CVCLxL +SqJnyQbvFFwgHIfi2TgGQ6sWPEy/pw9qqoMNHIetB2ZWOy5AeVPUZNR4S16YoUc/ +AiNYdEupWBVJXXt4q8/io0WT8LH+oeS2IgwFRwaHzkXwV/ZO4XIAf8u42GL+u0dT +0YDiIBVJjZBhfYFSd553tQUU8ZRM8ZOEf+Uet2k9cKgdY+0CcKaAk3Vw7A9xbM7z +SsGNJOrLflP/7Jg8vIXQZudzMQEDMoDKBQxCINTJopSHwQNtW5E= +=I47p -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index c5bad3d1e52f..14dcfb5cf364 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-202405-18.xml b/metadata/glsa/glsa-202405-18.xml new file mode 100644 index 000000000000..ecec50f0d14f --- /dev/null +++ b/metadata/glsa/glsa-202405-18.xml @@ -0,0 +1,49 @@ + + + + Xpdf: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Xpdf, the worst of which could possibly lead to arbitrary code execution. + xpdf + 2024-05-07 + 2024-05-07 + 755938 + 840873 + remote + + + 4.04 + 4.04 + + + +

Xpdf is an X viewer for PDF files.

+
+ +

Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details.

+
+ +

Please review the referenced CVE identifiers for details.

+
+ +

There is no known workaround at this time.

+
+ +

All Xpdf users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/xpdf-4.04" + +
+ + CVE-2020-25725 + CVE-2020-35376 + CVE-2021-27548 + CVE-2022-24106 + CVE-2022-24107 + CVE-2022-27135 + CVE-2022-38171 + + graaff + graaff +
\ No newline at end of file diff --git a/metadata/glsa/glsa-202405-19.xml b/metadata/glsa/glsa-202405-19.xml new file mode 100644 index 000000000000..5ae43a639f34 --- /dev/null +++ b/metadata/glsa/glsa-202405-19.xml @@ -0,0 +1,42 @@ + + + + xar: Unsafe Extraction + A vulnerability has been discovered in xar, which can lead to privilege escalation. + xar + 2024-05-07 + 2024-05-07 + 820641 + remote + + + 1.8.0.0.487.100.1 + 1.8.0.0.487.100.1 + + + +

xar provides an easily extensible archive format.

+
+ +

A vulnerability has been discovered in xar. Please review the CVE identifier referenced below for details.

+
+ +

xar allows for a forward-slash separated path to be specified in the file name property, e.g. <name>x/foo</name> – as long as it doesn’t traverse upwards, and the path exists within the current directory. This means an attacker can create a .xar file which contains both a directory symlink, and a file with a name property which points into the extracted symlink directory. By abusing symlink directories in this manner, an attacker can write arbitrary files to any directory on the filesystem – providing the user has permissions to write to it.

+
+ +

There is no known workaround at this time.

+
+ +

All xar users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/xar-1.8.0.0.487.100.1" + +
+ + CVE-2021-30833 + + graaff + graaff +
\ No newline at end of file diff --git a/metadata/glsa/glsa-202405-20.xml b/metadata/glsa/glsa-202405-20.xml new file mode 100644 index 000000000000..e8bf7d00eb24 --- /dev/null +++ b/metadata/glsa/glsa-202405-20.xml @@ -0,0 +1,58 @@ + + + + libjpeg-turbo: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in libjpeg-turbo, the worst of which could lead to arbitrary code execution. + libjpeg-turbo + 2024-05-07 + 2024-05-07 + 797424 + 814206 + remote + + + 2.1.1 + 2.1.1 + + + +

libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library.

+
+ +

Multiple vulnerabilities have been discovered in libjpeg-turbo. Please review the CVE identifiers referenced below for details.

+
+ +

Please review the referenced CVE identifiers for details.

+
+ +

There is no known workaround at this time.

+
+ +

All libjpeg-turbo users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-2.1.1" + +
+ + CVE-2020-17541 + CVE-2021-37956 + CVE-2021-37957 + CVE-2021-37958 + CVE-2021-37959 + CVE-2021-37960 + CVE-2021-37961 + CVE-2021-37962 + CVE-2021-37963 + CVE-2021-37965 + CVE-2021-37966 + CVE-2021-37967 + CVE-2021-37968 + CVE-2021-37970 + CVE-2021-37971 + CVE-2021-37972 + + graaff + graaff +
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 75526f1f978f..207b8eb9b990 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Mon, 06 May 2024 22:10:15 +0000 +Tue, 07 May 2024 22:10:19 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 3b0047a72b19..88c796a7b0d1 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -321e9a106808c3799e6007bf5459c5b6adb657a3 1715012485 2024-05-06T16:21:25+00:00 +508b72c9779f4f058551ebb133c5d5f21fd4e654 1715058264 2024-05-07T05:04:24+00:00 -- cgit v1.2.3