Fedoraproject Fedora vulnerabilities

CVE-2023-38497 [HIGH] CWE-278 CVE-2023-38497: Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.7 Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change t

CVE-2023-4135 [MEDIUM] CWE-125 CVE-2023-4135: A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.

CVE-2023-4073 [HIGH] CWE-119 CVE-2023-4073: Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 115.0.5790.170 allowed a remot Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-3180 [MEDIUM] CWE-122 CVE-2023-3180: A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption request A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.

CVE-2023-29408 [MEDIUM] CWE-770 CVE-2023-29408: The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted i The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.

CVE-2023-29407 [MEDIUM] CWE-834 CVE-2023-29407: A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a he A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.

CVE-2023-4016 [LOW] CWE-122 CVE-2023-4016: Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a ma Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

CVE-2023-38559 [MEDIUM] CWE-125 CVE-2023-38559: A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. Thi A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.

CVE-2023-4004 [HIGH] CWE-416 CVE-2023-4004: A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_p A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.

CVE-2022-4907 [HIGH] CVE-2022-4907: Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to exe Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4926 [MEDIUM] CWE-522 CVE-2022-4926: Insufficient policy enforcement in Intents in Google Chrome on Android prior to 109.0.5414.119 allow Insufficient policy enforcement in Intents in Google Chrome on Android prior to 109.0.5414.119 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4917 [MEDIUM] CWE-346 CVE-2022-4917: Incorrect security UI in Notifications in Google Chrome on Android prior to 103.0.5060.53 allowed a Incorrect security UI in Notifications in Google Chrome on Android prior to 103.0.5060.53 allowed a remote attacker to obscure the full screen notification via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-37920 [CRITICAL] CWE-345 CVE-2023-37920: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certi Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Ce

CVE-2023-38200 [HIGH] CWE-400 CVE-2023-38200: A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a rem A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.

CVE-2023-1386 [HIGH] CWE-281 CVE-2023-1386: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user i A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help

CVE-2023-38633 [MEDIUM] CWE-22 CVE-2023-38633: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

CVE-2023-38408 [CRITICAL] CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search pa The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

CVE-2023-34966 [HIGH] CWE-835 CVE-2023-34966: An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing S An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked

CVE-2023-34967 [MEDIUM] CWE-843 CVE-2023-34967: A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing S A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dal

CVE-2022-2127 [MEDIUM] CWE-125 CVE-2022-2127: An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM auth