Gentoo alert 202412-19 (eza)
| From: | glsamaker@gentoo.org | |
| To: | gentoo-announce@lists.gentoo.org | |
| Subject: | [gentoo-announce] [ GLSA 202412-19 ] eza: Arbitrary Code Execution | |
| Date: | Wed, 11 Dec 2024 12:01:51 -0000 | |
| Message-ID: | <173391851204.7.7040483278885082257@3f85d36892cf> |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202412-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: eza: Arbitrary Code Execution Date: December 11, 2024 Bugs: #926532 ID: 202412-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in eza, which can lead to arbitrary code execution. Background ========== eza is a modern, maintained replacement for ls, written in rust. Affected packages ================= Package Vulnerable Unaffected ------------ ------------ ------------ sys-apps/eza < 0.18.6 >= 0.18.6 Description =========== A vulnerability has been discovered in eza. Please review the CVE identifier referenced below for details. Impact ====== A buffer overflow vulnerability in eza allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components. Workaround ========== There is no known workaround at this time. Resolution ========== All eza users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/eza-0.18.6" References ========== [ 1 ] CVE-2024-25817 https://nvd.nist.gov/vuln/detail/CVE-2024-25817 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202412-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmdZfy8ACgkQFMQkOaVy +9nlvBAAtPuOTYQ86YwnlZHpbEGIzznvsfQeRpoOJs/I7SZXUDmtz3ZSExzbrM8J TOoH0bH33Zr3UJH4oll0NF5HpvZkDiAhepYjhq6d+GJbwi37m65voVcEm1AKqAoj ESGk/UdKvW1N/8+B9o0rbszan5iEROEjHWtmaVw6R3MUNp8AWBQ0iuknZ/rW8c80 7FVAs15WtacvZCURPBZCo70QqTwvFdflb8NVBwLbGgVpbzrs5CYdLySv4gL6MzEf Gi8j4A/YIfhpY3AdiITNqwDzuPMVB1H0HFcI/S1ib5eav2QzqfT0haUBBro+23X1 OoAfTa2pDIjYP1+r/eVaTbrHJX/V7SQXLcMoN6eOBOmpCEs4dmwcVKY+02U0MjXz CMho678WgnXbGeuaca4DeM2iL01nftInG3C36VBkhnkHus9TR1ZPy94yjaU5OTy1 wGYFKXZ5km/KnGrfVImpnZUHJGB9vPumK7+fkJ9kys75ztf9brgmLCN62Fyb+mU1 G7RKQiMSmPGrb3DUGIzNx2Jd/gzmXpW2i8vCJLRUGxSvioYmsojhPKKYo24oYwuc DdADaK7h+B6GKjxEE7A5fb4KLIg1o9wMKXOEbPeFIG4S+N0+poprrS7e4CUqz1Cg WCccjVIemUyAKMSV91Mx/mwsOMu8o9eWEOo3Qr/jesql4owsk18= =nAe2 -----END PGP SIGNATURE-----