SB2024112726 - Fedora EPEL 9 update for needrestart

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Code Injection (CVE-ID: CVE-2024-48990)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure handling of environment variables. A local user can trick the application into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable and execute arbitrary code on the system as root.

2) OS Command Injection (CVE-ID: CVE-2024-11003)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the application passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. A local user can execute arbitrary OS commands as root.

Note, the vulnerability is related to #VU100773 (CVE-2024-10224).

3) Code Injection (CVE-ID: CVE-2024-48992)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure handling of environment variables. A local user can trick the application into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable and execute arbitrary code on the system as root.

4) Race condition (CVE-ID: CVE-2024-48991)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition. A local user can force the application into running a malicious Python interpreter instead the system one and execute arbitrary code as root.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-9d7ae25afa