1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202412-19 ] eza: Arbitrary Code Execution

    From glsamaker@gentoo.org@21:1/5 to All on Wed Dec 11 13:10:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202412-19
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: eza: Arbitrary Code Execution
    Date: December 11, 2024
    Bugs: #926532
    ID: 202412-19

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in eza, which can lead to arbitrary
    code execution.

    Background
    ==========

    eza is a modern, maintained replacement for ls, written in rust.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------ ------------ ------------
    sys-apps/eza < 0.18.6 >= 0.18.6

    Description
    ===========

    A vulnerability has been discovered in eza. Please review the CVE
    identifier referenced below for details.

    Impact
    ======

    A buffer overflow vulnerability in eza allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects
    components.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All eza users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-apps/eza-0.18.6"

    References
    ==========

    [ 1 ] CVE-2024-25817
    https://nvd.nist.gov/vuln/detail/CVE-2024-25817

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202412-19

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmdZfy8ACgkQFMQkOaVy +9nlvBAAtPuOTYQ86YwnlZHpbEGIzznvsfQeRpoOJs/I7SZXUDmtz3ZSExzbrM8J TOoH0bH33Zr3UJH4oll0NF5HpvZkDiAhepYjhq6d+GJbwi37m65voVcEm1AKqAoj ESGk/UdKvW1N/8+B9o0rbszan5iEROEjHWtmaVw6R3MUNp8AWBQ0iuknZ/rW8c80 7FVAs15WtacvZCURPBZCo70QqTwvFdflb8NVBwLbGgVpbzrs5CYdLySv4gL6MzEf Gi8j4A/YIfhpY3AdiITNqwDzuPMVB1H0HFcI/S1ib5eav2QzqfT0haUBBro+23X1 OoAfTa2pDIjYP1+r/eVaTbrHJX/V7SQXLcMoN6eOBOmpCEs4dmwcVKY+02U0MjXz CMho678WgnXbGeuaca4DeM2iL01nftInG3C36VBkhnkHus9TR1ZPy94yjaU5OTy1 wGYFKXZ5km/KnGrfVImpnZUHJGB9vPumK7+fkJ9kys75ztf9brgmLCN62Fyb+mU1 G7RKQiMSmPGrb3DUGIzNx2Jd/gzmXpW2i8vCJLRUGxSvioYmsojhPKKYo24oYwuc DdADaK7h+B6GKjxEE7A5fb4KLIg1o9wMKXOEbPeFIG4S+N0+poprrS7e4CUqz1Cg WCccjVIemUyAKMSV91Mx/mwsOMu8o9eWEOo3Qr/jesql4owsk18=
    =nAe2
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)