Gentoo 2485 Published by

The following security updates are available for Gentoo Linux:

[ GLSA 202312-06 ] Exiv2: Multiple Vulnerabilities
[ GLSA 202312-05 ] libssh: Multiple Vulnerabilities
[ GLSA 202312-04 ] Arduino: Remote Code Execution
[ GLSA 202312-07 ] QtWebEngine: Multiple Vulnerabilities
[ GLSA 202312-09 ] NASM: Multiple Vulnerabilities
[ GLSA 202312-08 ] LibRaw: Heap Buffer Overflow




[ GLSA 202312-06 ] Exiv2: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202312-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Exiv2: Multiple Vulnerabilities
Date: December 22, 2023
Bugs: #785646, #807346, #917650
ID: 202312-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Exiv2, the worst of
which can lead to remote code execution.

Background
==========

Exiv2 is a C++ library and set of tools for parsing, editing and saving
Exif and IPTC metadata from images. Exif, the Exchangeable image file
format, specifies the addition of metadata tags to JPEG, TIFF and RIFF
files.

Affected packages
=================

Package Vulnerable Unaffected
--------------- ------------ ------------
media-gfx/exiv2 < 0.28.1 >= 0.28.1

Description
===========

Multiple vulnerabilities have been discovered in Exiv2. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Exiv2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/exiv2-0.28.1"

References
==========

[ 1 ] CVE-2020-18771
https://nvd.nist.gov/vuln/detail/CVE-2020-18771
[ 2 ] CVE-2020-18773
https://nvd.nist.gov/vuln/detail/CVE-2020-18773
[ 3 ] CVE-2020-18774
https://nvd.nist.gov/vuln/detail/CVE-2020-18774
[ 4 ] CVE-2020-18899
https://nvd.nist.gov/vuln/detail/CVE-2020-18899
[ 5 ] CVE-2021-29457
https://nvd.nist.gov/vuln/detail/CVE-2021-29457
[ 6 ] CVE-2021-29458
https://nvd.nist.gov/vuln/detail/CVE-2021-29458
[ 7 ] CVE-2021-29463
https://nvd.nist.gov/vuln/detail/CVE-2021-29463
[ 8 ] CVE-2021-29464
https://nvd.nist.gov/vuln/detail/CVE-2021-29464
[ 9 ] CVE-2021-29470
https://nvd.nist.gov/vuln/detail/CVE-2021-29470
[ 10 ] CVE-2021-29473
https://nvd.nist.gov/vuln/detail/CVE-2021-29473
[ 11 ] CVE-2021-29623
https://nvd.nist.gov/vuln/detail/CVE-2021-29623
[ 12 ] CVE-2021-31291
https://nvd.nist.gov/vuln/detail/CVE-2021-31291
[ 13 ] CVE-2021-31292
https://nvd.nist.gov/vuln/detail/CVE-2021-31292
[ 14 ] CVE-2021-32617
https://nvd.nist.gov/vuln/detail/CVE-2021-32617
[ 15 ] CVE-2021-32815
https://nvd.nist.gov/vuln/detail/CVE-2021-32815
[ 16 ] CVE-2021-34334
https://nvd.nist.gov/vuln/detail/CVE-2021-34334
[ 17 ] CVE-2021-34335
https://nvd.nist.gov/vuln/detail/CVE-2021-34335
[ 18 ] CVE-2021-37615
https://nvd.nist.gov/vuln/detail/CVE-2021-37615
[ 19 ] CVE-2021-37616
https://nvd.nist.gov/vuln/detail/CVE-2021-37616
[ 20 ] CVE-2021-37618
https://nvd.nist.gov/vuln/detail/CVE-2021-37618
[ 21 ] CVE-2021-37619
https://nvd.nist.gov/vuln/detail/CVE-2021-37619
[ 22 ] CVE-2021-37620
https://nvd.nist.gov/vuln/detail/CVE-2021-37620
[ 23 ] CVE-2021-37621
https://nvd.nist.gov/vuln/detail/CVE-2021-37621
[ 24 ] CVE-2021-37622
https://nvd.nist.gov/vuln/detail/CVE-2021-37622
[ 25 ] CVE-2021-37623
https://nvd.nist.gov/vuln/detail/CVE-2021-37623
[ 26 ] CVE-2023-44398
https://nvd.nist.gov/vuln/detail/CVE-2023-44398

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202312-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202312-05 ] libssh: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202312-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: libssh: Multiple Vulnerabilities
Date: December 22, 2023
Bugs: #810517, #905746
ID: 202312-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in libssh, the worst of
which could lead to remote code execution.

Background
==========

libssh is a multiplatform C library implementing the SSHv2 protocol on
client and server side.

Affected packages
=================

Package Vulnerable Unaffected
--------------- ------------ ------------
net-libs/libssh < 0.10.5 >= 0.10.5

Description
===========

Multiple vulnerabilities have been discovered in libssh. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libssh users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.5"

References
==========

[ 1 ] CVE-2021-3634
https://nvd.nist.gov/vuln/detail/CVE-2021-3634
[ 2 ] CVE-2023-1667
https://nvd.nist.gov/vuln/detail/CVE-2023-1667
[ 3 ] CVE-2023-2283
https://nvd.nist.gov/vuln/detail/CVE-2023-2283
[ 4 ] GHSL-2023-085

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202312-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202312-04 ] Arduino: Remote Code Execution


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202312-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Arduino: Remote Code Execution
Date: December 22, 2023
Bugs: #830716
ID: 202312-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been found in Arduino which bundled a vulnerable
version of log4j.

Background
==========

Arduino is an open-source AVR electronics prototyping platform.

Affected packages
=================

Package Vulnerable Unaffected
-------------------- ------------ ------------
dev-embedded/arduino < 1.8.19 >= 1.8.19

Description
===========

A vulnerability has been discovered in Arduino. Please review the CVE
identifier referenced below for details.

Impact
======

Arduino bundles a vulnerable version of log4j that may lead to remote
code execution.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Arduino users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-embedded/arduino-1.8.19"

References
==========

[ 1 ] CVE-2021-4104
https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202312-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202312-07 ] QtWebEngine: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202312-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: QtWebEngine: Multiple Vulnerabilities
Date: December 22, 2023
Bugs: #913050, #915465
ID: 202312-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilitiies have been discovered in QtWebEngine, the worst
of which could lead to remote code execution.

Background
==========

QtWebEngine is a library for rendering dynamic web content in Qt5 and
Qt6 C++ and QML applications.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------------- --------------------
dev-qt/qtwebengine < 5.15.11_p20231120 >= 5.15.11_p20231120

Description
===========

Multiple vulnerabilities have been discovered in QtWebEngine. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All QtWebEngine users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.11_p20231120"

References
==========

[ 1 ] CVE-2023-4068
https://nvd.nist.gov/vuln/detail/CVE-2023-4068
[ 2 ] CVE-2023-4069
https://nvd.nist.gov/vuln/detail/CVE-2023-4069
[ 3 ] CVE-2023-4070
https://nvd.nist.gov/vuln/detail/CVE-2023-4070
[ 4 ] CVE-2023-4071
https://nvd.nist.gov/vuln/detail/CVE-2023-4071
[ 5 ] CVE-2023-4072
https://nvd.nist.gov/vuln/detail/CVE-2023-4072
[ 6 ] CVE-2023-4073
https://nvd.nist.gov/vuln/detail/CVE-2023-4073
[ 7 ] CVE-2023-4074
https://nvd.nist.gov/vuln/detail/CVE-2023-4074
[ 8 ] CVE-2023-4075
https://nvd.nist.gov/vuln/detail/CVE-2023-4075
[ 9 ] CVE-2023-4076
https://nvd.nist.gov/vuln/detail/CVE-2023-4076
[ 10 ] CVE-2023-4077
https://nvd.nist.gov/vuln/detail/CVE-2023-4077
[ 11 ] CVE-2023-4078
https://nvd.nist.gov/vuln/detail/CVE-2023-4078
[ 12 ] CVE-2023-4761
https://nvd.nist.gov/vuln/detail/CVE-2023-4761
[ 13 ] CVE-2023-4762
https://nvd.nist.gov/vuln/detail/CVE-2023-4762
[ 14 ] CVE-2023-4763
https://nvd.nist.gov/vuln/detail/CVE-2023-4763
[ 15 ] CVE-2023-4764
https://nvd.nist.gov/vuln/detail/CVE-2023-4764
[ 16 ] CVE-2023-5218
https://nvd.nist.gov/vuln/detail/CVE-2023-5218
[ 17 ] CVE-2023-5473
https://nvd.nist.gov/vuln/detail/CVE-2023-5473
[ 18 ] CVE-2023-5474
https://nvd.nist.gov/vuln/detail/CVE-2023-5474
[ 19 ] CVE-2023-5475
https://nvd.nist.gov/vuln/detail/CVE-2023-5475
[ 20 ] CVE-2023-5476
https://nvd.nist.gov/vuln/detail/CVE-2023-5476
[ 21 ] CVE-2023-5477
https://nvd.nist.gov/vuln/detail/CVE-2023-5477
[ 22 ] CVE-2023-5478
https://nvd.nist.gov/vuln/detail/CVE-2023-5478
[ 23 ] CVE-2023-5479
https://nvd.nist.gov/vuln/detail/CVE-2023-5479
[ 24 ] CVE-2023-5480
https://nvd.nist.gov/vuln/detail/CVE-2023-5480
[ 25 ] CVE-2023-5481
https://nvd.nist.gov/vuln/detail/CVE-2023-5481
[ 26 ] CVE-2023-5482
https://nvd.nist.gov/vuln/detail/CVE-2023-5482
[ 27 ] CVE-2023-5483
https://nvd.nist.gov/vuln/detail/CVE-2023-5483
[ 28 ] CVE-2023-5484
https://nvd.nist.gov/vuln/detail/CVE-2023-5484
[ 29 ] CVE-2023-5485
https://nvd.nist.gov/vuln/detail/CVE-2023-5485
[ 30 ] CVE-2023-5486
https://nvd.nist.gov/vuln/detail/CVE-2023-5486
[ 31 ] CVE-2023-5487
https://nvd.nist.gov/vuln/detail/CVE-2023-5487
[ 32 ] CVE-2023-5849
https://nvd.nist.gov/vuln/detail/CVE-2023-5849
[ 33 ] CVE-2023-5850
https://nvd.nist.gov/vuln/detail/CVE-2023-5850
[ 34 ] CVE-2023-5851
https://nvd.nist.gov/vuln/detail/CVE-2023-5851
[ 35 ] CVE-2023-5852
https://nvd.nist.gov/vuln/detail/CVE-2023-5852
[ 36 ] CVE-2023-5853
https://nvd.nist.gov/vuln/detail/CVE-2023-5853
[ 37 ] CVE-2023-5854
https://nvd.nist.gov/vuln/detail/CVE-2023-5854
[ 38 ] CVE-2023-5855
https://nvd.nist.gov/vuln/detail/CVE-2023-5855
[ 39 ] CVE-2023-5856
https://nvd.nist.gov/vuln/detail/CVE-2023-5856
[ 40 ] CVE-2023-5857
https://nvd.nist.gov/vuln/detail/CVE-2023-5857
[ 41 ] CVE-2023-5858
https://nvd.nist.gov/vuln/detail/CVE-2023-5858
[ 42 ] CVE-2023-5859
https://nvd.nist.gov/vuln/detail/CVE-2023-5859
[ 43 ] CVE-2023-5996
https://nvd.nist.gov/vuln/detail/CVE-2023-5996
[ 44 ] CVE-2023-5997
https://nvd.nist.gov/vuln/detail/CVE-2023-5997
[ 45 ] CVE-2023-6112
https://nvd.nist.gov/vuln/detail/CVE-2023-6112

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202312-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202312-09 ] NASM: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202312-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: NASM: Multiple Vulnerabilities
Date: December 22, 2023
Bugs: #686720, #903755
ID: 202312-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in NASM, the worst of
which could lead to arbitrary code execution.

Background
==========

NASM is a 80x86 assembler that has been created for portability and
modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow extensions. It
also supports a wide range of objects formats (ELF, a.out, COFF, etc),
and has its own disassembler.

Affected packages
=================

Package Vulnerable Unaffected
------------- ------------ ------------
dev-lang/nasm < 2.16.01 >= 2.16.01

Description
===========

Multiple vulnerabilities have been discovered in NASM. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All NASM users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/nasm-2.16.01"

References
==========

[ 1 ] CVE-2019-8343
https://nvd.nist.gov/vuln/detail/CVE-2019-8343
[ 2 ] CVE-2020-21528
https://nvd.nist.gov/vuln/detail/CVE-2020-21528
[ 3 ] CVE-2022-44370
https://nvd.nist.gov/vuln/detail/CVE-2022-44370

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202312-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202312-08 ] LibRaw: Heap Buffer Overflow


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202312-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: LibRaw: Heap Buffer Overflow
Date: December 22, 2023
Bugs: #908041
ID: 202312-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been found in LibRaw where a heap buffer overflow
may lead to an application crash.

Background
==========

LibRaw is a library for reading RAW files obtained from digital photo
cameras.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
media-libs/libraw < 0.21.1-r1 >= 0.21.1-r1

Description
===========

A vulnerability has been discovered in LibRaw. Please review the CVE
identifier referenced below for details.

Impact
======

A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted
file may lead to an application crash.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All LibRaw users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libraw-0.21.1-r1"

References
==========

[ 1 ] CVE-2023-1729
https://nvd.nist.gov/vuln/detail/CVE-2023-1729

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202312-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5