gentoo auto-resync : 08:05:2024 - 00:00:57

7 files changed, 166 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 3e851356a9bb..d234b6e408ad 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 572194 BLAKE2B 736dd063af339592e54b5eb6a96b21fa114076b32923b0103db465e82be98d9a5dc5a73f66156af8907ecc1ce8bcd1ef8a09c8d98208c594ebc2cd3109b3d410 SHA512 b7dadaeb677f04cc391368d9d0aea276a0639d56dc6eaec3d59d5bbc8046775a8cf34c4047312d631a6f118781f907bf1c585178c705c0b9200dac6163ecedbe
-TIMESTAMP 2024-05-06T22:10:18Z
+MANIFEST Manifest.files.gz 572670 BLAKE2B 53f887b1afdbde7318d64b5a2773bb5d9df44b119ad24b5683fbd2ae80615cb88bc0e858597f3342fc169482d9775591c1b93c38f6679166daa01f65e8ee2bd2 SHA512 e2ab6ec1262d65f9a9d9eec3c3a120c56903ac41761a8bd30674704a65d489d45a5909a6dcd6e413aa3493f4105d540fb62b8398ce239d745de856eaed58b752
+TIMESTAMP 2024-05-07T22:10:22Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmY5VUpfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmY6ps5fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klC7HA//Q/IdUwO+Kpd3wfQxZDxUGt3meOmOY7Kw6/9LLQbPPKgwsdmuRELt8h9J
-DrMQjFdaP9qNl301nsanZwQM+GOjFdmhoMU79aYGkE8AOTkXQwpQf060LbpBpiec
-FhKdrqmZ/fwgCOkKWGH227opWjaebsFNqxks1CFSvETeaR3+WECvs6J9m4baOqOc
-GzQR74AGjJ5bpLTuXDwu8R8C6pBJNi/wBgMkxygaj9L2l4/thjXigbxr3GvW2Sam
-SXt5xAFQgE+kZ8LCeyQWjBsTb2G9dwU6ns1a2Oyn9UgMa2QeGSrthhJlYhvvJlSY
-lj54O2580B1qyI6kCo5m9t2dOFQXOXPhKBChilYkqX33CYHR6S9oC7zeLA5gircT
-qrLZ5x3By9gUXrKjqr0KDL/ceOWw9DM3U2cwEHxZBguUaje3K2SD8cvwvLXHp83J
-FAAlpPIAyAEX6BMxyiwFQh8gsXpcyytErOs7my/Xc8qhgSiHTwt9J9O3NQPnxKji
-hEo1vNjxuLTECTCq6kjzL5shH5VVvXARGNsTcqvimlKn2J7WGdsmBQEwLOIIXrA0
-WThbOvTu3tJ7NEQhOw4RizhlXCIqnogoEjlrHd3tnXt+4Bf7A/fyLImV/7+2Cl1r
-9oL6dxCJLMI/Vz0VVVHd+6H5c9PsI/Eohb9Dm80P1IPeXMzeM0Y=
-=bXMC
+klB1/w//WJXneRPc+YVII9sGyLh9HqZPptD+DI9yXhadG1hzslhH6fD58XOkV6di
+H8rWQvUUnwGbgjK4aTKB/NZ7XsUMeKLIw1YwuYGxfGU+jL68UJ96AuoApxhW5QtY
+wymJHOQfMHF4Qzn45zdSXzCIV8SlcWYCdk8yh0paLuJZ/4ZPAViYcsKqrvUILsfK
+9G72UFD3N5nqQGQSfUNtE9pyEY8uTFn9+seE/FvKhurVU26R7/6jIlsUqMK0XHvs
+j0CHFP3eiQr0i5aC03OcxvZt9FTz94sGd18zxBwhAD/G1g1iCqNCs5u6PnR/BgL0
+7We8ERDW7Ia7fkI15w9AklrgEEGG2jL0udJ+qvx9xXzoPUf98iOmQy61/nUIcgR0
+lShfCnqfyyKZWEJbWUwJ/f6XuMRya5fM6LPni5qpTTcS3Atm1ee2Ju7Fi6CVCLxL
+SqJnyQbvFFwgHIfi2TgGQ6sWPEy/pw9qqoMNHIetB2ZWOy5AeVPUZNR4S16YoUc/
+AiNYdEupWBVJXXt4q8/io0WT8LH+oeS2IgwFRwaHzkXwV/ZO4XIAf8u42GL+u0dT
+0YDiIBVJjZBhfYFSd553tQUU8ZRM8ZOEf+Uet2k9cKgdY+0CcKaAk3Vw7A9xbM7z
+SsGNJOrLflP/7Jg8vIXQZudzMQEDMoDKBQxCINTJopSHwQNtW5E=
+=I47p
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index c5bad3d1e52f..14dcfb5cf364 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202405-18.xml b/metadata/glsa/glsa-202405-18.xml
new file mode 100644
index 000000000000..ecec50f0d14f
--- /dev/null
+++ b/metadata/glsa/glsa-202405-18.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-18">
+    <title>Xpdf: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Xpdf, the worst of which could possibly lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">xpdf</product>
+    <announced>2024-05-07</announced>
+    <revised count="1">2024-05-07</revised>
+    <bug>755938</bug>
+    <bug>840873</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-text/xpdf" auto="yes" arch="*">
+            <unaffected range="ge">4.04</unaffected>
+            <vulnerable range="lt">4.04</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Xpdf is an X viewer for PDF files.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Xpdf users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-text/xpdf-4.04"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25725">CVE-2020-25725</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35376">CVE-2020-35376</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27548">CVE-2021-27548</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24106">CVE-2022-24106</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24107">CVE-2022-24107</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27135">CVE-2022-27135</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38171">CVE-2022-38171</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-07T04:34:27.431462Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-07T04:34:27.435519Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202405-19.xml b/metadata/glsa/glsa-202405-19.xml
new file mode 100644
index 000000000000..5ae43a639f34
--- /dev/null
+++ b/metadata/glsa/glsa-202405-19.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-19">
+    <title>xar: Unsafe Extraction</title>
+    <synopsis>A vulnerability has been discovered in xar, which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">xar</product>
+    <announced>2024-05-07</announced>
+    <revised count="1">2024-05-07</revised>
+    <bug>820641</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-arch/xar" auto="yes" arch="*">
+            <unaffected range="ge">1.8.0.0.487.100.1</unaffected>
+            <vulnerable range="lt">1.8.0.0.487.100.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>xar provides an easily extensible archive format.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in xar. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>xar allows for a forward-slash separated path to be specified in the file name property, e.g. &lt;name&gt;x/foo&lt;/name&gt; – as long as it doesn’t traverse upwards, and the path exists within the current directory. This means an attacker can create a .xar file which contains both a directory symlink, and a file with a name property which points into the extracted symlink directory. By abusing symlink directories in this manner, an attacker can write arbitrary files to any directory on the filesystem – providing the user has permissions to write to it.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All xar users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-arch/xar-1.8.0.0.487.100.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30833">CVE-2021-30833</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-07T04:42:07.751840Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-07T04:42:07.755662Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202405-20.xml b/metadata/glsa/glsa-202405-20.xml
new file mode 100644
index 000000000000..e8bf7d00eb24
--- /dev/null
+++ b/metadata/glsa/glsa-202405-20.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-20">
+    <title>libjpeg-turbo: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in libjpeg-turbo, the worst of which could lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">libjpeg-turbo</product>
+    <announced>2024-05-07</announced>
+    <revised count="1">2024-05-07</revised>
+    <bug>797424</bug>
+    <bug>814206</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-libs/libjpeg-turbo" auto="yes" arch="*">
+            <unaffected range="ge">2.1.1</unaffected>
+            <vulnerable range="lt">2.1.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in libjpeg-turbo. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libjpeg-turbo users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-2.1.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17541">CVE-2020-17541</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37956">CVE-2021-37956</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37957">CVE-2021-37957</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37958">CVE-2021-37958</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37959">CVE-2021-37959</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37960">CVE-2021-37960</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37961">CVE-2021-37961</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37962">CVE-2021-37962</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37963">CVE-2021-37963</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37965">CVE-2021-37965</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37966">CVE-2021-37966</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37967">CVE-2021-37967</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37968">CVE-2021-37968</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37970">CVE-2021-37970</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37971">CVE-2021-37971</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37972">CVE-2021-37972</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-07T05:04:06.111037Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-07T05:04:06.115519Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 75526f1f978f..207b8eb9b990 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Mon, 06 May 2024 22:10:15 +0000
+Tue, 07 May 2024 22:10:19 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 3b0047a72b19..88c796a7b0d1 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-321e9a106808c3799e6007bf5459c5b6adb657a3 1715012485 2024-05-06T16:21:25+00:00
+508b72c9779f4f058551ebb133c5d5f21fd4e654 1715058264 2024-05-07T05:04:24+00:00