Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata
diff options
context:
space:
mode:
authorRepository QA checks <repo-qa-checks@gentoo.org>2017-01-29 16:22:28 +0000
committerRepository QA checks <repo-qa-checks@gentoo.org>2017-01-29 16:22:28 +0000
commit1cd70bf505cb1e7473939426dea8fbc571f994ad (patch)
treeca8cd2df2e8a60976a88bf56b54d40c79ab4222b /metadata
parentMerge updates from master (diff)
parentAdd GLSA 201701-70 (diff)
downloadgentoo-1cd70bf505cb1e7473939426dea8fbc571f994ad.tar.gz
gentoo-1cd70bf505cb1e7473939426dea8fbc571f994ad.tar.bz2
gentoo-1cd70bf505cb1e7473939426dea8fbc571f994ad.zip
Merge commit 'fafc2810bce6127c54a5cd85ea8968c04485c09a'
Diffstat (limited to 'metadata')
-rw-r--r--metadata/glsa/glsa-201701-67.xml47
-rw-r--r--metadata/glsa/glsa-201701-68.xml54
-rw-r--r--metadata/glsa/glsa-201701-69.xml54
-rw-r--r--metadata/glsa/glsa-201701-70.xml54
4 files changed, 209 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201701-67.xml b/metadata/glsa/glsa-201701-67.xml
new file mode 100644
index 000000000000..c88f32dd54d0
--- /dev/null
+++ b/metadata/glsa/glsa-201701-67.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201701-67">
+ <title>a2ps: Arbitrary code execution</title>
+ <synopsis>A vulnerability in a2ps' fixps script might allow remote attackers
+ to execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">a2ps</product>
+ <announced>2017-01-29</announced>
+ <revised>2017-01-29: 1</revised>
+ <bug>506352</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-text/a2ps" auto="yes" arch="*">
+ <unaffected range="ge">4.14-r5</unaffected>
+ <vulnerable range="lt">4.14-r5</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>a2ps is an Any to PostScript filter.</p>
+ </background>
+ <description>
+ <p>a2ps’ fixps script does not invoke gs with the -dSAFER option.</p>
+ </description>
+ <impact type="normal">
+ <p>Remote attackers, by enticing a user to process a specially crafted
+ PostScript file, could delete arbitrary files or execute arbitrary code
+ with the privileges of the process.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All a2ps users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-text/a2ps-4.14-r5"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0466">CVE-2014-0466</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-01-24T18:44:55Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-01-29T16:07:45Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201701-68.xml b/metadata/glsa/glsa-201701-68.xml
new file mode 100644
index 000000000000..08fa57fe408a
--- /dev/null
+++ b/metadata/glsa/glsa-201701-68.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201701-68">
+ <title>FreeImage: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in FreeImage, the worst of
+ which may allow execution of arbitrary code
+ </synopsis>
+ <product type="ebuild">freeimage</product>
+ <announced>2017-01-29</announced>
+ <revised>2017-01-29: 1</revised>
+ <bug>559006</bug>
+ <bug>596350</bug>
+ <access>remote</access>
+ <affected>
+ <package name="media-libs/freeimage" auto="yes" arch="*">
+ <unaffected range="ge">3.15.4-r1</unaffected>
+ <vulnerable range="lt">3.15.4-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>FreeImage is an Open Source library project for developers who would
+ like to support popular graphics image formats like PNG, BMP, JPEG, TIFF
+ and others as needed by today’s multimedia applications.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in in FreeImage. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to process a specially crafted
+ image file, could possibly execute arbitrary code with the privileges of
+ the process or cause a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All FreeImage users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-libs/freeimage-3.15.4-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0852">CVE-2015-0852</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5684">CVE-2016-5684</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-01-23T08:24:46Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2017-01-29T16:12:52Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201701-69.xml b/metadata/glsa/glsa-201701-69.xml
new file mode 100644
index 000000000000..0d034abbd46f
--- /dev/null
+++ b/metadata/glsa/glsa-201701-69.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201701-69">
+ <title>Ark: Unintended execution of scripts and executable files</title>
+ <synopsis>A vulnerability in Ark might allow remote attackers to execute
+ arbitrary code.
+ </synopsis>
+ <product type="ebuild">ark</product>
+ <announced>2017-01-29</announced>
+ <revised>2017-01-29: 1</revised>
+ <bug>604846</bug>
+ <access>remote</access>
+ <affected>
+ <package name="kde-apps/ark" auto="yes" arch="*">
+ <unaffected range="ge">16.08.3-r1</unaffected>
+ <vulnerable range="lt">16.08.3-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Ark is a graphical file compression/decompression utility with support
+ for multiple formats.
+ </p>
+ </background>
+ <description>
+ <p>A vulnerability was discovered in how Ark handles executable files while
+ browsing a compressed archive. A user could unintentionally execute a
+ malicious script which has the executable bit set inside of the archive.
+ This is due to Ark not displaying what files are executable and running
+ the associated applications for the file type upon execution.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by coercing a user to browse a malicious archive file
+ within Ark and execute certain files, could execute arbitrary code with
+ the privileges of the user.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Ark users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=kde-apps/ark-16.08.3-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5330">CVE-2017-5330</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-01-20T15:24:35Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-01-29T16:19:07Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201701-70.xml b/metadata/glsa/glsa-201701-70.xml
new file mode 100644
index 000000000000..aba6fd53682d
--- /dev/null
+++ b/metadata/glsa/glsa-201701-70.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201701-70">
+ <title>Firewalld: Improper authentication methods</title>
+ <synopsis>A vulnerability in Firewalld allows firewall configurations to be
+ modified by unauthenticated users.
+ </synopsis>
+ <product type="ebuild">firewalld</product>
+ <announced>2017-01-29</announced>
+ <revised>2017-01-29: 1</revised>
+ <bug>591458</bug>
+ <access>local</access>
+ <affected>
+ <package name="net-firewall/firewalld" auto="yes" arch="*">
+ <unaffected range="ge">0.4.3.3</unaffected>
+ <vulnerable range="lt">0.4.3.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Firewalld provides a dynamically managed firewall with support for
+ network/firewall zones to define the trust level of network connections
+ or interfaces.
+ </p>
+ </background>
+ <description>
+ <p>A flaw in Firewalld allows any locally logged in user to tamper with or
+ change firewall settings. This is due to how Firewalld handles
+ authentication via polkit which is not properly applied to 5 particular
+ functions to include: addPassthrough, removePassthrough, addEntry,
+ removeEntry, and setEntries.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker could tamper or change firewall settings leading to the
+ additional exposure of systems to include unauthorized remote access.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Firewalld users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-firewall/firewalld-0.4.3.3"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5410">CVE-2016-5410</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-01-04T03:14:04Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2017-01-29T16:21:27Z">b-man</metadata>
+</glsa>