Gentoo 2514 Published by

The following security updates are available for Gentoo Linux:

[ GLSA 202408-19 ] ncurses: Multiple Vulnerabilities
[ GLSA 202408-18 ] QEMU: Multiple Vulnerabilities
[ GLSA 202408-17 ] Nautilus: Denial of Service
[ GLSA 202408-16 ] re2c: Denial of Service
[ GLSA 202408-15 ] Percona XtraBackup: Multiple Vulnerabilities
[ GLSA 202408-14 ] Librsvg: Arbitrary File Read




[ GLSA 202408-19 ] ncurses: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ncurses: Multiple Vulnerabilities
Date: August 09, 2024
Bugs: #839351, #904247
ID: 202408-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in ncurses, the worst of
which could lead to a denial of service.

Background
==========

Free software emulation of curses in System V.

Affected packages
=================

Package Vulnerable Unaffected
----------------------- --------------- ----------------
sys-libs/ncurses < 6.4_p20230408 >= 6.4_p20230408
sys-libs/ncurses-compat < 6.4_p20240330 >= 6.4_p20240330

Description
===========

Multiple vulnerabilities have been discovered in ncurses. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ncurses users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/ncurses-6.4_p20230408"
# emerge --ask --oneshot --verbose ">=sys-libs/ncurses-compat-6.4_p20240330"

References
==========

[ 1 ] CVE-2022-29458
https://nvd.nist.gov/vuln/detail/CVE-2022-29458
[ 2 ] CVE-2023-29491
https://nvd.nist.gov/vuln/detail/CVE-2023-29491

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-19

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-18 ] QEMU: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: QEMU: Multiple Vulnerabilities
Date: August 09, 2024
Bugs: #857657, #865121, #883693, #909542
ID: 202408-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in QEMU, the worst of
which could lead to a denial of service.

Background
==========

QEMU is a generic and open source machine emulator and virtualizer.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------ ------------
app-emulation/qemu < 8.0.0 >= 8.0.0

Description
===========

Multiple vulnerabilities have been discovered in QEMU. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All QEMU users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/qemu-8.0.0"

References
==========

[ 1 ] CVE-2020-14394
https://nvd.nist.gov/vuln/detail/CVE-2020-14394
[ 2 ] CVE-2022-0216
https://nvd.nist.gov/vuln/detail/CVE-2022-0216
[ 3 ] CVE-2022-1050
https://nvd.nist.gov/vuln/detail/CVE-2022-1050
[ 4 ] CVE-2022-2962
https://nvd.nist.gov/vuln/detail/CVE-2022-2962
[ 5 ] CVE-2022-4144
https://nvd.nist.gov/vuln/detail/CVE-2022-4144
[ 6 ] CVE-2022-4172
https://nvd.nist.gov/vuln/detail/CVE-2022-4172
[ 7 ] CVE-2022-35414
https://nvd.nist.gov/vuln/detail/CVE-2022-35414
[ 8 ] CVE-2023-1544
https://nvd.nist.gov/vuln/detail/CVE-2023-1544
[ 9 ] CVE-2023-2861
https://nvd.nist.gov/vuln/detail/CVE-2023-2861

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-18

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-17 ] Nautilus: Denial of Service


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Nautilus: Denial of Service
Date: August 09, 2024
Bugs: #881509
ID: 202408-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Nautilus, which can lead to a
denial of service.

Background
==========

Default file manager for the GNOME desktop

Affected packages
=================

Package Vulnerable Unaffected
------------------- ------------ ------------
gnome-base/nautilus < 44.0 >= 44.0

Description
===========

Please review the CVE identifier referenced below for details.

Impact
======

GNOME Nautilus allows a NULL pointer dereference and get_basename
application crash via a pasted ZIP archive.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Nautilus users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/nautilus-44.0"

References
==========

[ 1 ] CVE-2022-37290
https://nvd.nist.gov/vuln/detail/CVE-2022-37290

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-17

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-16 ] re2c: Denial of Service


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: re2c: Denial of Service
Date: August 09, 2024
Bugs: #719872
ID: 202408-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in re2c, which can lead to a denial
of service.

Background
==========

re2c is a tool for generating C-based recognizers from regular
expressions.

Affected packages
=================

Package Vulnerable Unaffected
------------- ------------ ------------
dev-util/re2c < 2.0 >= 2.0

Description
===========

Please review the CVE identifier referenced below for details.

Impact
======

Please review the CVE identifier referenced below for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All re2c users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/re2c-2.0"

References
==========

[ 1 ] CVE-2018-21232
https://nvd.nist.gov/vuln/detail/CVE-2018-21232

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-16

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-15 ] Percona XtraBackup: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Percona XtraBackup: Multiple Vulnerabilities
Date: August 09, 2024
Bugs: #849389, #908033
ID: 202408-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Percona XtraBackup, the
worst of which could lead to arbitrary code execution.

Background
==========

Percona XtraBackup is a complete and open source online backup solution
for all versions of MySQL.

Affected packages
=================

Package Vulnerable Unaffected
----------------------------- ------------ ------------
dev-db/percona-xtrabackup < 8.0.29.22 >= 8.0.29.22
dev-db/percona-xtrabackup-bin < 8.0.29.22 Vulnerable!

Description
===========

Multiple vulnerabilities have been discovered in Percona XtraBackup.
Please review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Percona XtraBackup users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/percona-xtrabackup-8.0.29.22"

Gentoo has discontinued support for the binary package. Users should
remove this from their system:

# emerge --sync
# emerge --ask --verbose --depclean "dev-db/percona-xtrabackup-bin"

References
==========

[ 1 ] CVE-2022-25834
https://nvd.nist.gov/vuln/detail/CVE-2022-25834
[ 2 ] CVE-2022-26944
https://nvd.nist.gov/vuln/detail/CVE-2022-26944

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-15

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-14 ] Librsvg: Arbitrary File Read


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Librsvg: Arbitrary File Read
Date: August 09, 2024
Bugs: #918100
ID: 202408-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Librsvg, which can lead to
arbitrary file reads.

Background
==========

Librsvg is a library to render SVG files using cairo as a rendering
engine.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------ ------------
gnome-base/librsvg < 2.56.3 >= 2.56.3

Description
===========

A directory traversal problem in the URL decoder of librsvg could be
used by local or remote attackers to disclose files (on the local
filesystem outside of the expected area), as demonstrated by
href="https://www.linuxcompatible.org/.?../../../../../../../../../../etc/passwd" in an xi:include
element.

Impact
======

Please review the referenced CVE identifier for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Librsvg users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/librsvg-2.56.3"

References
==========

[ 1 ] CVE-2023-38633
https://nvd.nist.gov/vuln/detail/CVE-2023-38633

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-14

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5