ALT-BU-2025-13001-1
Branch sisyphus_e2k update bulletin.
Package yt-dlp updated to version 2025.09.26-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2025-11-18
CVE-2024-3566
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
- https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
- https://kb.cert.org/vuls/id/123335
- https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
- https://www.cve.org/CVERecord?id=CVE-2024-1874
- https://www.cve.org/CVERecord?id=CVE-2024-22423
- https://www.cve.org/CVERecord?id=CVE-2024-24576
- https://www.kb.cert.org/vuls/id/123335
- https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
- https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566
- https://kb.cert.org/vuls/id/123335
- https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
- https://www.cve.org/CVERecord?id=CVE-2024-1874
- https://www.cve.org/CVERecord?id=CVE-2024-22423
- https://www.cve.org/CVERecord?id=CVE-2024-24576
- https://www.kb.cert.org/vuls/id/123335
Closed bugs
Прошу обновить пакет yt-dlp до версии 2025.09.26
Package djvu updated to version 3.5.29-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2023-11-13
BDU:2021-02741
Уязвимость функции DJVU::GBitmap::decode() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код в целевой системе
Modified: 2023-11-13
BDU:2021-02743
Уязвимость функции DJVU::filter_bv() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код в целевой системе с помощью специально созданного файла djvu
Modified: 2024-09-24
BDU:2021-02744
Уязвимость функции DJVU::DjVuDocument::get_djvu_file() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код
Modified: 2023-11-13
BDU:2021-02745
Уязвимость DJVU::DataPool::has_data() набора библиотек и утилит DjVuLibre, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2023-11-13
BDU:2021-02746
Уязвимость функции render() набора библиотек и утилит DjVuLibre, позволяющая нарушителю выполнить произвольный код в целевой системе
Modified: 2025-10-29
BDU:2023-05878
Уязвимость компонента IW44EncodeCodec.cpp библиотеки для просмотра, создания, редактирования DjVu-файлов DjVuLibre, связанная с разделением на ноль, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-11-26
BDU:2023-05879
Уязвимость компонента IW44Image.cpp библиотеки для просмотра, создания, редактирования DjVu-файлов DjVuLibre, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-32490
A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences.
Modified: 2024-11-21
CVE-2021-32491
A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences.
Modified: 2024-11-21
CVE-2021-32492
A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences.
Modified: 2024-11-21
CVE-2021-32493
A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences.
Modified: 2024-11-21
CVE-2021-3500
A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.
Modified: 2025-11-04
CVE-2021-46310
An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4APFAWR7QE27GXQMRKR6XKNZWWUJ5YMH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HN4JOIBNMJMW2NQSGT6DCDCQZJ2ROFM7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEEGAR4WUF6LTOJEHSON7I2MBTPFTVR5/
- https://sourceforge.net/p/djvu/bugs/345/
- https://lists.debian.org/debian-lts-announce/2025/07/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4APFAWR7QE27GXQMRKR6XKNZWWUJ5YMH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HN4JOIBNMJMW2NQSGT6DCDCQZJ2ROFM7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEEGAR4WUF6LTOJEHSON7I2MBTPFTVR5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HN4JOIBNMJMW2NQSGT6DCDCQZJ2ROFM7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEEGAR4WUF6LTOJEHSON7I2MBTPFTVR5/
- https://sourceforge.net/p/djvu/bugs/345/
Modified: 2025-11-04
CVE-2021-46312
An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4APFAWR7QE27GXQMRKR6XKNZWWUJ5YMH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HN4JOIBNMJMW2NQSGT6DCDCQZJ2ROFM7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEEGAR4WUF6LTOJEHSON7I2MBTPFTVR5/
- https://sourceforge.net/p/djvu/bugs/344/
- https://lists.debian.org/debian-lts-announce/2025/07/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4APFAWR7QE27GXQMRKR6XKNZWWUJ5YMH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HN4JOIBNMJMW2NQSGT6DCDCQZJ2ROFM7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEEGAR4WUF6LTOJEHSON7I2MBTPFTVR5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HN4JOIBNMJMW2NQSGT6DCDCQZJ2ROFM7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEEGAR4WUF6LTOJEHSON7I2MBTPFTVR5/
- https://sourceforge.net/p/djvu/bugs/344/
Package opensc updated to version 0.26.1-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2025-11-06
BDU:2024-11086
Уязвимость утилиты персонализации смарт-карт pkcs15-init и библиотеки libopensc набора программных инструментов и библиотек для работы со смарт-картами OpenSC, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
Modified: 2025-10-29
BDU:2024-11087
Уязвимость утилиты персонализации смарт-карт pkcs15-init набора программных инструментов и библиотек для работы со смарт-картами OpenSC, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2025-10-29
BDU:2024-11088
Уязвимость утилиты персонализации смарт-карт pkcs15-init и библиотеки libopensc набора программных инструментов и библиотек для работы со смарт-картами OpenSC, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2025-10-29
BDU:2024-11091
Уязвимость утилиты персонализации смарт-карт pkcs15-init набора программных инструментов и библиотек для работы со смарт-картами OpenSC, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2024-11092
Уязвимость утилиты персонализации смарт-карт pkcs15-init и библиотеки libopensc набора программных инструментов и библиотек для работы со смарт-картами OpenSC, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2024-11093
Уязвимость утилиты персонализации смарт-карт pkcs15-init и библиотеки libopensc набора программных инструментов и библиотек для работы со смарт-картами OpenSC, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-11-03
CVE-2024-45615
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.).
Modified: 2025-11-03
CVE-2024-45616
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.
Modified: 2025-11-03
CVE-2024-45617
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.
Modified: 2025-11-03
CVE-2024-45618
A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.
Modified: 2025-11-03
CVE-2024-45619
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
Modified: 2025-11-03
CVE-2024-45620
A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.