From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E58CA159C9B for ; Sun, 11 Aug 2024 14:42:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8AE0BE2BF7; Sun, 11 Aug 2024 14:41:44 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C3378E2BCB for ; Sun, 11 Aug 2024 14:41:28 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 129C233BEFF for ; Sun, 11 Aug 2024 14:41:28 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 027C1C75F0 for ; Sun, 11 Aug 2024 14:41:28 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202408-27 ] AFLplusplus: Arbitrary Code Execution Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============3245156379450622177==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Sun, 11 Aug 2024 14:41:27 -0000 Message-ID: <172338728800.7.6860336385944622170@3f85d36892cf> X-Archives-Salt: db3dc4bc-6e8f-40e2-a128-122533c93ab3 X-Archives-Hash: c9aa4878c995f04f42edba85db41936d --===============3245156379450622177== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: AFLplusplus: Arbitrary Code Execution Date: August 11, 2024 Bugs: #897924 ID: 202408-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in AFLplusplus, which can lead to arbitrary code execution via an untrusted CWD. Background ========== The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more! Affected packages ================= Package Vulnerable Unaffected ------------------------- ------------ ------------ app-forensics/aflplusplus < 4.06c >= 4.06c Description =========== In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution. Impact ====== In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution. Workaround ========== There is no known workaround at this time. Resolution ========== All AFLplusplus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-forensics/aflplusplus-4.06c" References ========== [ 1 ] CVE-2023-26266 https://nvd.nist.gov/vuln/detail/CVE-2023-26266 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-27 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============3245156379450622177== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAma4zZcACgkQFMQkOaVy +9kb8g//UzGGiKNhdXtFalopkBf5A3GTXLoNgwk1uNP4cXMzkvI7Y+xrqB9V2+ul nCI2ml0PPc0eZbGBr7jjaS4U6dgxiDYJJzT9GesZoKS//JfAIvI7Lgsu05oSV6Yk Ebp4WbPOfPE6Ji7PVZxEsFM3abFzCJ5ipGx56uQBF2w7QtuLOLlL8H5ZtDACXNz4 nNT2MpKY3p9oFtQ/IGMSK1KtJRQF7RGGZeNYDQ6bk14XXm5vPkCFxR5Uaz6qugOk i/fbBG45pdQbAWNrCzCfeZOAJCBeNe1ycFFMZYpCbp7cZ0XUj2VnQctUyrSqLiOR Y/G7Hx1XUk2EYiSsqI5F1fCoI3GRciTXbruUpUgv0+kXB1/NIDDrhXuhgDt5Bxey nzi6w1RgR5LjYO8XIl07Uhafim2bR/eEYhKtF2K4EkX3uszHIJm3JHWIrN0DDwhe I4k28TcZ0FMfUan3cxP83OqP53/nujHKjRBDZH5Ih3aQnJd7LffDv/qxFuASGL56 T7EsNmzjzWSkU9+h3OxPT2NvdukbNyjx4tK+nVqm2OxXkx9iQI51826uJvh2OcXF Ir0wxWgk+Ko0WHBnDCcMKaadMH5nk54zhaO+LLivSh6xwbEA5/kb49w7bkxAY4MY juJ0/BBHY4tH8JJ3yZwEjLs1AXEdJz2Dc1RRqx2HBNImBYZRAXI= =IkIn -----END PGP SIGNATURE----- --===============3245156379450622177==--