Re: [oss-security] Question about (in)security of fdk-aac-free in linux distros

Jordan Glover writes: > This post presents question about (in}security of fdk-aac-free package > library packaged by several linux distros. I hope someone on the list finds > it worth reading. I think we should include Martin in this conversation. (I've not snipped the email for his benefit.)

Re: [oss-security] CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name

Timothy Legge writes: > [...] > File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code > Execution when `grep()` encounters a crafted filename. > > A file handle is opened with the 2 argument form of `open()` allowing > an attacker controlled filename to provide the MODE parameter

Re: [oss-security] XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115)

Sam James writes: > Sam James writes: > >> # Impact >> >> The threaded .xz decoder in liblzma has a bug that can at least result >> in a crash (denial of service). The effects include heap use after free >> and writing to an address based on the null pointe

[oss-security] XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115)

# Credits Thanks to Harri K. Koskinen for discovering and reporting this issue. Thanks to Sebastian Andrzej Siewior for reviewing the patches. Thanks to Sam James for general help. # Why fuzzing didn't find this? XZ Utils is fuzzed by OSS-Fuzz. However, there was no program to fuzz the multithrea

[oss-security] Re: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115)

Sam James writes: > # Impact > > The threaded .xz decoder in liblzma has a bug that can at least result > in a crash (denial of service). The effects include heap use after free > and writing to an address based on the null pointer plus an offset. > > This affects X

Re: [oss-security] Oracle January 2025 Critical Patch Update

Solar Designer writes: > On Thu, Jan 23, 2025 at 09:24:14AM -0800, Alan Coopersmith wrote: >> The open source packages delivered in Oracle Linux & Oracle Solaris are >> listed separately, but these are downstreams, so I've always thought they'd >> be off topic here, since we normally only cover u

Re: [oss-security] escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise)

Solar Designer writes: > On Wed, Apr 03, 2024 at 11:03:17AM +1100, Matthew Fernandez wrote: >> On 4/1/24 08:30, Solar Designer wrote: >> >On Sat, Mar 30, 2024 at 04:37:48PM -, Tavis Ormandy wrote: >> >>It was also pointed out they submitted an odd PR to libarchive: >> >> >> >>https://github.c

[oss-security] Suspicious hook-loading mechanism in hyprland

Hi! Someone passed along https://blog.vaxry.net/articles/2024-own-malloc to me, and I noticed some curious bits. hyprland seems to have committed an interesting homebrew malloc implementation (which is fine in theory), but the reasons for it existing & how it works are not so fine. Fisrt, it rel

Re: [oss-security] Update on the distro-backdoor-scanner effort

Simon McVittie writes: > On Fri, 26 Apr 2024 at 14:06:16 -0600, Hank Leininger wrote: >> - Turns out serial numbers are made up and the points don't matter. >> But still, this author appears to have _thought_ they were >> important. > > The serial number of a m4 file matters if the atta

Re: [oss-security] less(1) with LESSOPEN mishandles \n in paths

Jakub Wilk writes: > less(1) does not correctly escape newlines in pathnames when > constructing command line of the input preprocessor. If a user ran > less(1) on files with untrusted names, this could result in execution > of arbitrary code. > > The input preprocessor is enabled by the LESSOPEN