CVE-2023-33865: RenderDoc through 1.26 allows local privilege escalation via a symlink attack. CVE-2023-33864: RenderDoc through 1.26 allows an Integer Overflow with a resultant Buffer Overflow (issue 2 of 2). CVE-2023-33863: RenderDoc through 1.26 allows an Integer Overflow with a resultant Buffer Overflow (issue 1 of 2). "- CVE-2023-33865, a symlink vulnerability that is exploitable by any unprivileged local attacker to obtain the privileges of the user who runs RenderDoc. The exact details of this symlink vulnerability made it quite interesting and challenging to exploit. - CVE-2023-33864, an integer underflow that results in a heap-based buffer overflow that is exploitable by any remote attacker to execute arbitrary code on the machine that runs RenderDoc. The unusual malloc exploitation technique that we used to exploit this vulnerability is reliable, one-shot, and works despite all the latest glibc, ASLR, PIE, NX, and stack-canary protections. - CVE-2023-33863, an integer overflow that results in a heap-based buffer overflow and may be exploitable by a remote attacker to execute arbitrary code on the machine that runs RenderDoc (but we have not tried to exploit this vulnerability)." Fixes in 1.27, please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43f654a060813a88209ab9998291b3701eacf86e commit 43f654a060813a88209ab9998291b3701eacf86e Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2023-06-09 16:49:18 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2023-06-09 16:49:36 +0000 media-gfx/renderdoc: add 1.27 Bug: https://bugs.gentoo.org/908031 Signed-off-by: Matthew Smith <matthew@gentoo.org> media-gfx/renderdoc/Manifest | 2 + .../renderdoc/files/renderdoc-1.27-env-home.patch | 15 ++ media-gfx/renderdoc/renderdoc-1.27.ebuild | 202 +++++++++++++++++++++ 3 files changed, 219 insertions(+)
Thanks! Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d523e2ed9e0302c57fb425341ceec2995a6daa4c commit d523e2ed9e0302c57fb425341ceec2995a6daa4c Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2023-06-23 08:58:09 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2023-06-23 08:58:09 +0000 media-gfx/renderdoc: drop 1.24, security cleanup Bug: https://bugs.gentoo.org/908031 Signed-off-by: Matthew Smith <matthew@gentoo.org> media-gfx/renderdoc/Manifest | 2 - .../renderdoc/files/renderdoc-1.24-env-home.patch | 15 -- media-gfx/renderdoc/renderdoc-1.24.ebuild | 203 --------------------- 3 files changed, 220 deletions(-)
Sorry for the delay. On the GLSA-worthiness of these issues, I don't think one is required. It's not commonly installed software, mostly used to debug trusted applications, and the server defaults to listening on localhost.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=335f69a9cbc971132afe551e722b25032997f1b5 commit 335f69a9cbc971132afe551e722b25032997f1b5 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-11-25 09:36:29 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-25 09:36:55 +0000 [ GLSA 202311-10 ] RenderDoc: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/908031 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202311-10.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
