Gentoo 2512 Published by

Gentoo Linux has received security upgrades for Tor, ZNC, GCC, and Hunspell, which address a number of issues relating to remote code execution, faulty code generation, and hacking:

[ GLSA 202409-24 ] Tor: Multiple Vulnerabilities
[ GLSA 202409-23 ] ZNC: Remote Code Execution
[ GLSA 202409-22 ] GCC: Flawed Code Generation
[ GLSA 202409-21 ] Hunspell: Multiple Vulnerabilities




[ GLSA 202409-24 ] Tor: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Low
Title: Tor: Multiple Vulnerabilities
Date: September 24, 2024
Bugs: #916759, #917142
ID: 202409-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Tor, the worst of which
could result in denial of service.

Background
==========

Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.

Affected packages
=================

Package Vulnerable Unaffected
----------- ------------ ------------
net-vpn/tor < 0.4.8.9 >= 0.4.8.9

Description
===========

Multiple vulnerabilities have been discovered in Tor. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Tor users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.8.9"

References
==========

[ 1 ] TROVE-2023-004
[ 2 ] TROVE-2023-006

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-24

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-23 ] ZNC: Remote Code Execution


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ZNC: Remote Code Execution
Date: September 24, 2024
Bugs: #935422
ID: 202409-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been found in ZNC which could result in remote code
execution.

Background
==========

ZNC is an advanced IRC bouncer.

Affected packages
=================

Package Vulnerable Unaffected
----------- ------------ ------------
net-irc/znc < 1.9.1 >= 1.9.1

Description
===========

ZNC's modtcl could allow for remote code execution via a KICK.

Impact
======

A vulnerable ZNC with the modtcl module loaded could be exploited for
remote code execution.

Workaround
==========

Unload the mod_tcl module.

Resolution
==========

All ZNC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-irc/znc-1.9.1"

References
==========

[ 1 ] CVE-2024-39844
https://nvd.nist.gov/vuln/detail/CVE-2024-39844

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-23

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-22 ] GCC: Flawed Code Generation


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GCC: Flawed Code Generation
Date: September 24, 2024
Bugs: #719466
ID: 202409-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in GCC, which can lead to flawed
code generation.

Background
==========

The GNU Compiler Collection includes front ends for C, C++, Objective-C,
Fortran, Ada, Go, D and Modula-2 as well as libraries for these
languages (libstdc++,...).

Affected packages
=================

Package Vulnerable Unaffected
------------- ------------ ------------
sys-devel/gcc < 10.0 >= 10.0

Description
===========

A vulnerability has been discovered in GCC. Please review the CVE
identifier referenced below for details.

Impact
======

The POWER9 backend in GNU Compiler Collection (GCC) could optimize
multiple calls of the __builtin_darn intrinsic into a single call, thus
reducing the entropy of the random number generator. This occurred
because a volatile operation was not specified. For example, within a
single execution of a program, the output of every __builtin_darn() call
may be the same.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GCC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-devel/gcc-10.0"

And then select it with gcc-config:

# gcc-config latest

In this case, users should also rebuild all affected packages with
emerge -e, e.g.:

# emerge --usepkg=n --emptytree @world

References
==========

[ 1 ] CVE-2019-15847
https://nvd.nist.gov/vuln/detail/CVE-2019-15847

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-22

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-21 ] Hunspell: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Hunspell: Multiple Vulnerabilities
Date: September 24, 2024
Bugs: #866093
ID: 202409-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Hunspell, the worst of
which could lead to arbitrary code execution.

Background
==========

Hunspell is the spell checker of LibreOffice, OpenOffice.org, Mozilla
Firefox & Thunderbird, Google Chrome.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
app-text/hunspell < 1.7.1 >= 1.7.1

Description
===========

Malicious input to the hunspell spell checker could result in an
application crash or other unspecified behavior.

Impact
======

Malicious input to the hunspell spell checker could result in an
application crash or other unspecified behavior.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Hunspell users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/hunspell-1.7.1"

References
==========

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-21

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5