ALT Linux Team

Branch c10f2 update on 2025-10-09

2025-10-09

ALT-BU-2025-12780-1

Branch c10f2 update bulletin.

ALT-PU-2025-12669-3

Package git-lfs updated to version 3.6.1-alt1 for branch c10f2 in task 396483.

Closed vulnerabilities

Published: 2025-01-14

BDU:2025-01510

Уязвимость расширения Git для управления версиями больших файлов Git LFS, связанная с неверной нейтрализацией особых элементов в выходных данных, используемых входящим компонентом, позволяющая нарушителю получить несанкционированный доступ к учетным данным пользователя

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2025-01-14
Modified: 2025-01-23

CVE-2024-53263

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

Severity: HIGH (8.5) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:

ALT-PU-2025-12689-3

Package djvu updated to version 3.5.29-alt1 for branch c10f2 in task 396546.

Closed vulnerabilities

Published: 2021-05-17

BDU:2021-02741

Уязвимость функции DJVU::GBitmap::decode() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код в целевой системе

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2021-05-17

BDU:2021-02743

Уязвимость функции DJVU::filter_bv() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код в целевой системе с помощью специально созданного файла djvu

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2021-05-17

BDU:2021-02744

Уязвимость функции DJVU::DjVuDocument::get_djvu_file() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2021-05-17

BDU:2021-02745

Уязвимость DJVU::DataPool::has_data() набора библиотек и утилит DjVuLibre, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (5.4) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Severity: MEDIUM (6.4) Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P
References:
Published: 2021-05-17

BDU:2021-02746

Уязвимость функции render() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код в целевой системе

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2023-08-22

BDU:2023-05879

Уязвимость компонента IW44Image.cpp библиотеки для просмотра, создания, редактирования DjVu-файлов DjVuLibre, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2021-06-24
Modified: 2024-11-21

CVE-2021-32490

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2021-06-24
Modified: 2024-11-21

CVE-2021-32491

A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2021-06-24
Modified: 2024-11-21

CVE-2021-32492

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2021-06-24
Modified: 2024-11-21

CVE-2021-32493

A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2021-06-24
Modified: 2024-11-21

CVE-2021-3500

A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2023-08-22
Modified: 2024-11-21

CVE-2021-46310

An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top