Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Mar 01)
It is more tricky. At least in Emacs-28, enable-local-eval helps to
mitigate the variant from the blog post

;; -*- eval: (flymake-mode 1) -*-

however the user option has no effect for the case reported in the Emacs
bug#37656 ("deprecated" feature)

;; -*- mode: emacs-lisp; mode: flymake -*-

Neither
emacs -Q --eval '(setq enable-local-eval nil)' poc.txt
nor
emacs -Q --eval '(setq enable-local-variables...

Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
Max Nikulin <manikulin () gmail com> writes:

I wanted to point out an interesting aspect of Emacs file local
variables. It may be surprising to some that including `-*-
eval:(foobar-mode) -*-` at the beginning of a file will happily evaluate
the specified function, regardless of whether it is an "actual" minor
mode created with `define-minor-mode'. The only requirement is that the
name ends with "-mode."

This...

CVE-2025-27531: Apache InLong: An arbitrary file read vulnerability for JDBC Charles Zhang (Feb 27)
Severity: moderate

Affected versions:

- Apache InLong 1.13.0 before 2.1.0

Description:

Deserialization of Untrusted Data vulnerability in Apache InLong. 

This issue affects Apache InLong: from 1.13.0 before 2.1.0, this can lead to bypass by double writing the param.

Users are recommended to upgrade to version 2.1.0, which fixes the issue.

Credit:

Ming (finder)

References:

https://inlong.apache.org...

Re: Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Demi Marie Obenour (Feb 27)
No, as this allows other attacks that allow denial of service at the
very least. See
https://lore.kernel.org/xen-devel/19915.58644.191837.671729 () mariner uk xensource com/.

Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Teddy Astie (Feb 27)
Hello,

Le 27/02/2025 à 13:57, Xen.org security team a écrit :

Is disabling interrupt remapping another way of mitigating this
vulnerability (e.g iommu=no-intremap) ?

Teddy

Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)
Reading <https://bugzilla.redhat.com/show_bug.cgi?id=2345150> I have
realized that org-link was not the only package that did not follow
(from #66390):
"'man' is an interactive command, so it should not
second-guess the user who invokes it. Commands that call 'man'
non-interactively should make sure they call 'man' with a valid
argument, especially when the argument comes from some file."...

Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Xen . org security team (Feb 27)
Xen Security Advisory CVE-2025-1713 / XSA-467

deadlock potential with VT-d and legacy PCI device pass-through

ISSUE DESCRIPTION
=================

When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe. This can lead to a deadlock.

IMPACT...

GNU Emacs 30.1 released with 2 CVE fixes Alan Coopersmith (Feb 26)
https://lists.gnu.org/archive/html/info-gnu/2025-02/msg00009.html
announces the release of GNU Emacs 30.1. Among the changes listed in
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1
are these notes:

This was reported in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390

[...]

CVE-2024-53920 is further described in
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
which...

CPAN Security Group is CNA for Perl and CPAN Modules Stig Palmquist (Feb 25)
CPAN Security Group has been authorized as a CVE Numbering Authority
(CNA) today.

https://www.cve.org/Media/News/item/news/2025/02/25/CPAN-Security-Group-Added-as-CNA

Our scope is vulnerabilities in Perl and CPAN Modules (including
End-of-Life Perl versions) found at perl.org, cpan.org or metacpan.org,
excluding distributions of Perl or CPAN Modules maintained by
third-party redistributors.

To request a CVE, or for updates to CVEs we have...

Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Feb 25)
---------- Forwarded message ---------
From: Olivier Fourdan <ofourdan () redhat com>
Date: Tue, Feb 25, 2025 at 4:39 PM
Subject: X.Org Security Advisory: multiple security issues X.Org X server
and Xwayland
To: <xorg-announce () lists x org>
Cc: <xorg () lists x org>, xorg-devel <xorg-devel () lists x org>

======================================================================
X.Org Security Advisory: February 25, 2025...

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
Ah. Fair point, I missed that src is freshly allocated. Yes, you are
correct.

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 24)
Hi Dmitry,

Thank you for taking a look at this.

It's OK to keep it. This really shouldn't matter.

Of course, we shouldn't pass NULL pointers to sprintf-like functions.
But if the first asprintf() call returns other than -1, the pointer is
supposed to be non-NULL. And if we somehow don't trust asprintf()
return value (even though it's standardized, unlike what happens to the
pointer on error), then the check for NULL...

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Dmitry Belyavskiy (Feb 24)
Dear Alexander,
Thank you for your efforts!

...

This is relevant, thank you!

I'm not sure that the check for the src == NULL should be removed at least
for the 1st branch.
Unfortunately I came across implementations that caused segfault on passing
NULL pointers to sprintf-like functions.

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client Solar Designer (Feb 21)
Hi,

Thank you Qualys for the very interesting research, as is usual from you.

I didn't go as far as CodeQL, but I also did some semi-manual auditing:

grep -A100 '[^a-z_]if.[^=!<>]*=[^=]' *.c | less

and then search for goto. I did this against patched OpenSSH source
tree installed with "rpmbuild -rp openssh-8.7p1-43.el9.src.rpm" hoping
to spot any issues there may be specific to this older base OpenSSH
version...

Re: CVE-2025-26794: Exim: SQL injection Solar Designer (Feb 21)
Here's the actual content from the web page above:

Alexander

More Lists

Dozens of other network security lists are archived at SecLists.Org.