gentoo auto-resync : 26:10:2023 - 08:43:59

7 files changed, 146 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index badcfa1511bf..9dd70b66c81f 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 551049 BLAKE2B 101f1e8c4fa2931de07bb12ade0d1a8f1086be636efa08e147c4c0a1ca5fbe5e5a01767f2ed884b1618e5e410a13397f54d75143f4eefe815b1be6584235614c SHA512 743e4ffacde54ecf7bc8f18d55d327e1443b9492e2ca28d9c8d3bb34f23fdf39df6d37e054b64a8068d11f93ef17d55500c5009206e44920614c53a3f5660f38
-TIMESTAMP 2023-10-26T01:11:31Z
+MANIFEST Manifest.files.gz 551527 BLAKE2B db64d10d2fa1122803097d484fee003fef693bdaf1bbc3e95adeb74bc10a4f4d9fb91c2a44ce8126e382ca58789a31168c226892f8e9b697446331bb0348d0ef SHA512 2574a3347157ae0bb1a2009e7010804d3b1b384faccb3d7bd553d8691f02c4ce971671af6ae20b2989ae24ed00352b3210d3b61e28abbc9963d54bcf5e71eb27
+TIMESTAMP 2023-10-26T07:10:22Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmU5vMNfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmU6EN5fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klD2GA/9FY9pAGGWw77qE3bY0wNLutLuNPN5bo/BLNf6YKepPRWgm9e6IcPVmFPM
-L8ruEAACZ5dm1MxBwNOJA+CDOOP4g+9DcW2b1vlMNbmip78Hm0bFNfHKo4F1czWe
-4/lNm92nwG4LAzsZh9jqjD73WuyCZzDLaiGPRXYhg6tBMfgaXzXRtdYULhx786xk
-SWSS1tekFQ/gs8dQAPE9G9SAX4G5owMLSKtjAEC/6ytsCHggcIa0rFUB7z8Oi1Oj
-72RmmkV8W2IedKMWRxPQn90pkn4ObzCzOdEDJyYEq2Qw4a1/iH2yvooRrLANV1Ue
-qGpwk3gmfbJNd5WAokVeEEcv9VWj0q9r2LPq6o+HO1ayH6NqIA2TJyx1rKeQLEYR
-WOxqu8EvvXMT4tP0FOYQjYmYA10z8yWQhMRrxZkaRBMwApeKu88ZruztXJ5iAPCD
-JJkL+hQJPEH8JrOMxHQKYhVTctOTFUSEmavFh77BKIY7aUQcRnS9EaLc4zReLxuk
-YpkPjB1BUQKDS1/551fwK4ZNhD6FQMVigWgAzvtbslvT+dDFA+UkEPmAQMxB7kLy
-/GML3wAa1PyuW29kzBR19MGvQF+y0Hft2Fsl5kAiEsJs+OCfo1pdgYJ8Q8Y9hfeE
-U6r22xGewfwdeAT/yHi0i7psoMbChuT0d9cUZy9jBXIEVHRPn8A=
-=eLoC
+klBnYxAAskF9eYtTgx1VSaFZlHkITf7/oUa9wvDYHYwv7fTsVO/EtY7iKHI5Ew8/
+bUUAHzPTXv5T0qPvz+GHs3DfogthnmbhUVBj7QY7j+9jAULWskv9x8B1EK1oONbY
+s0uz5erPtWRLNimeOFTdMSkuJEHKDLl3nAMKWdQ6fBzCaz0beTrhOogCRgGxQZnv
+sCOUt55sCWa38l+JbhI3Xn5dDi9t0E9b++2ZtcryOiBHdOVQx7qdut5yZtzZf1Ir
+J8HrLI+zPtsyxXqGE+udknO9bZ3l6JHFIrhPCEYc6kk4p9GKgA304xI8uBWJHJfd
+3r0LqoIrUrJREcghE4iFnxH6zYqfuDMDQAQEirISCgYVayPndFwaUIUpe9hT58A+
+/4At46uyd0oT0u7xBQbeCL3h1kCnvAQC3KP8qCzaGPwElf5aNvuvKfxHvzzqs/tf
+frcc9RaZaMBkS1oY8cyj03egIc0s9QuyKSSXSZx2EdG5mRjtuS+96UhKNVs9YH+z
+wL1mMCuh1W4R78fYkITh1lR9NJIbafj0vQldZrwGJMg2/Kmz2tSFCgf9Uf8SWJ5J
+eYypK6xegYdlSUL9tEoOgG9Y6WOw2sixdRgTUuwlqbjRiBK8v7FkN5Bagei2gj/b
+haEofVXql8VL6MQDZSOjaIXNSP2Nw4KRIl+d5qhZ+1TzXAYis3Y=
+=AU9V
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 59deb0c365fd..91ebb5d9dc28 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202310-14.xml b/metadata/glsa/glsa-202310-14.xml
new file mode 100644
index 000000000000..c4dc6dd8ee39
--- /dev/null
+++ b/metadata/glsa/glsa-202310-14.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-14">
+    <title>libinput: format string vulnerability when using xf86-input-libinput</title>
+    <synopsis>A vulnerability has been discovered in libinput where an attacker may run malicous code by exploiting a format string vulnerability.</synopsis>
+    <product type="ebuild">libinput</product>
+    <announced>2023-10-26</announced>
+    <revised count="1">2023-10-26</revised>
+    <bug>839729</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-libs/libinput" auto="yes" arch="*">
+            <unaffected range="ge">1.20.1</unaffected>
+            <vulnerable range="lt">1.20.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>A library to handle input devices in Wayland and, via xf86-input-libinput, in X.org.</p>
+    </background>
+    <description>
+        <p>An attacker may be able to run malicious code by exploiting a format string vulnerability. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root.

+

+The device name ends up as part of the format string and a kernel device with printf-style format string placeholders in the device name can enable an attacker to run malicious code. An exploit is possible through any device where the attacker controls the device name, e.g. /dev/uinput or Bluetooth devices.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libinput users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-libs/libinput-1.20.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1215">CVE-2022-1215</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-26T04:38:40.405160Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-26T04:38:40.408918Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-15.xml b/metadata/glsa/glsa-202310-15.xml
new file mode 100644
index 000000000000..2800fd629ab3
--- /dev/null
+++ b/metadata/glsa/glsa-202310-15.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-15">
+    <title>USBView: root privilege escalation via insecure polkit settings</title>
+    <synopsis>A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation.</synopsis>
+    <product type="ebuild">usbview</product>
+    <announced>2023-10-26</announced>
+    <revised count="1">2023-10-26</revised>
+    <bug>831756</bug>
+    <access>local</access>
+    <affected>
+        <package name="app-admin/usbview" auto="yes" arch="*">
+            <unaffected range="ge">2.2</unaffected>
+            <vulnerable range="lt">2.2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>USBView is a tool to display the topology of devices on the USB bus.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in usbview. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>USBView allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All USBView users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23220">CVE-2022-23220</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-26T04:41:42.430938Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-26T04:41:42.434826Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-16.xml b/metadata/glsa/glsa-202310-16.xml
new file mode 100644
index 000000000000..f799cbfc86a4
--- /dev/null
+++ b/metadata/glsa/glsa-202310-16.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-16">
+    <title>Ubiquiti UniFi: remote code execution via bundled log4j</title>
+    <synopsis>A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution</synopsis>
+    <product type="ebuild">unifi</product>
+    <announced>2023-10-26</announced>
+    <revised count="1">2023-10-26</revised>
+    <bug>828853</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-wireless/unifi" auto="yes" arch="*">
+            <unaffected range="ge">6.5.55</unaffected>
+            <vulnerable range="lt">6.5.55</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi APs.</p>
+    </background>
+    <description>
+        <p>A bundled version of log4j could facilitate remote code execution. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Ubiquity UniFi users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-wireless/unifi-6.5.55"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4104">CVE-2021-4104</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-26T04:47:43.475731Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-26T04:47:43.478412Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 48d0f03fe45c..669b33b31c10 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Thu, 26 Oct 2023 01:11:28 +0000
+Thu, 26 Oct 2023 07:10:19 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 86e6c6831bb4..e64bf8942b68 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-3e4a6266341c7f754ede0bb2d3c6a7f37daef958 1697694502 2023-10-19T05:48:22+00:00
+9f1c7e1afafc090d1c9f5074a8f34ce83f4bf4af 1698295694 2023-10-26T04:48:14+00:00