SB2022061548 - SUSE update for patch

Security Bulletin ID SB2022061548

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Double Free (CVE-ID: CVE-2018-6952)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing untrusted input within the another_hunk() function in pch.c. A remote attacker can create a specially crafted file, trick the victim into using in with the affected application, trigger a double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Improper Link Resolution Before File Access ('Link Following') (CVE-ID: CVE-2019-13636)

The vulnerability allows a local user to gain unauthorized access to files or directories on a targeted system.

The vulnerability exists due to the software mishandles the following of symlinks in certain cases other than input files in the "inp.c" and "util.c" files. A local authenticated user can gain unauthorized access to read or modify files and directories on a targeted system.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2022/suse-su-20221925-1/

SB2022061548 - SUSE update for patch

Breakdown by Severity

Description

Remediation

References

Please verify you're human