Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 897924 (CVE-2023-26266)

Summary: <app-forensics/aflplusplus-4.06c: code execution via untrusted CWD
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/AFLplusplus/AFLplusplus/pull/1643
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:46:42 UTC 
CVE-2023-26266

In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-08 23:49:00 UTC 
Looks like the patch is in 4.06c and beyond.