Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 945241 (CVE-2024-52336, CVE-2024-52337) - sys-apps/tuned: multiple vulnerabilities
Summary: sys-apps/tuned: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2024-52336, CVE-2024-52337
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://openwall.com/lists/oss-securi...
Whiteboard: ~1 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-11-28 14:24 UTC by Christopher Fore
Modified: 2024-11-28 14:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-11-28 14:24:22 UTC
CVE-2024-52336 (https://github.com/advisories/GHSA-cfjc-m7fv-63xj):

A script injection vulnerability was identified in the Tuned package. The instance_create() D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with script_pre or script_post options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.


CVE-2024-52337 (https://github.com/advisories/GHSA-8c3c-gvf8-p7v2):

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, tuned-adm get_instances or other third-party programs that use Tuned's D-Bus interface for such operations.



The above is fixed in 2.24.1, it also only affects >=sys-apps/tuned-2.23.0.