Source: tuned Version: 2.24.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for tuned. CVE-2024-52336[0]: | A script injection vulnerability was identified in the Tuned | package. The `instance_create()` D-Bus function can be called by | locally logged-in users without authentication. This flaw allows a | local non-privileged user to execute a D-Bus call with `script_pre` | or `script_post` options that permit arbitrary scripts with their | absolute paths to be passed. These user or attacker-controlled | executable scripts or programs could then be executed by Tuned with | root privileges that could allow attackers to local privilege | escalation. CVE-2024-52337[1]: | A log spoofing flaw was found in the Tuned package due to improper | sanitization of some API arguments. This flaw allows an attacker to | pass a controlled sequence of characters; newlines can be inserted | into the log. Instead of the 'evil' the attacker could mimic a valid | TuneD log line and trick the administrator. The quotes '' are | usually used in TuneD logs citing raw user input, so there will | always be the ' character ending the spoofed input, and the | administrator can easily overlook this. This logged string is later | used in logging and in the output of utilities, for example, `tuned- | adm get_instances` or other third-party programs that use Tuned's | D-Bus interface for such operations. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-52336 https://www.cve.org/CVERecord?id=CVE-2024-52336 [1] https://security-tracker.debian.org/tracker/CVE-2024-52337 https://www.cve.org/CVERecord?id=CVE-2024-52337 [2] https://www.openwall.com/lists/oss-security/2024/11/28/1 Regards, Salvatore
