On Sat, 2023-06-17 at 16:14 -0400, Roberto C. Sánchez wrote: > Hi Ola, > > The renderdoc situation certainly seems out of the norm for what we see. > > On Fri, Jun 16, 2023 at 11:34:25PM +0200, Ola Lundqvist wrote: > > Hi > > > > I'm triaging the package "renderdoc" and it has three open CVEs. More > > information about the CVEs are available here with a good description. > > https://www.openwall.com/lists/oss-security/2023/06/06/3 > > > > One of them is clearly a minor issue, but two of them describe the > > possibility to execute arbitrate code for a remote attacker as the > > user running the software. So that is rather severe. It is only during > > the time the person in question run this software and since it is a > > debugger it is likely not that common. > > > Based on the description in that post, the exploitation is rather > complex. However, it appears that there is no way for the user to > configure the software to stop the bad behavior, so the options for a > workaround are very limited to non-existent. [...]
This could be mitigated by a local firewall. It's unfortunate that we
still don't enable that by default in desktop installations.
If we can't fix the code then maybe we could issue a DLA recommending
blocking this port.
Ben.
--
Ben Hutchings
Experience is directly proportional to the value of equipment destroyed
- Carolyn Scheppner
signature.asc
Description: This is a digitally signed message part
