Add: New data stream validation utilities

[timopollmeier]

What

New utility functions have been added to allow validating the size and checksum / hash of contents of a data stream like a file being read.

Why

This is to be used for validating the integrity of agent installer files.

References

GEA-963

Checklist

• Tests

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 76a083a.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[github-actions]

🔍 Vulnerabilities of harbor-os.greenbone.net/community/gvm-libs:936-merge-amd64

📦 Image Reference harbor-os.greenbone.net/community/gvm-libs:936-merge-amd64

digest	sha256:441b711e1998e4896416b99ac08b8de3d21b6777a637da00c264905c8c459255
vulnerabilities
size	48 MB
packages	200

📦 Base Image debian:testing-20250630-slim

also known as	testing-slim
digest	sha256:3bf8d8353cfbaacf34f1a590876a714127db8f3227fbfda1380915ed844f62cc
vulnerabilities

libxml2 2.12.7+dfsg+really2.9.14-1 (deb) pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.12.7+dfsg+really2.9.14-1 Fixed version Not Fixed EPSS Score 0.05% EPSS Percentile 16th percentile Description A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. libxml2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107752) [bookworm] - libxml2 (Minor issue) https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 Affected range >=2.12.7+dfsg+really2.9.14-1 Fixed version Not Fixed EPSS Score 0.07% EPSS Percentile 21st percentile Description A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. libxml2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107755) [bookworm] - libxml2 (Minor issue; revisit when fixed upstream) https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 Affected range >=2.12.7+dfsg+really2.9.14-1 Fixed version Not Fixed EPSS Score 0.05% EPSS Percentile 16th percentile Description A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. libxml2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107720) [bookworm] - libxml2 (Minor issue; does not affect the parser code) https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781 (master) Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 (2.14-branch) Affected range >=2.12.7+dfsg+really2.9.14-1 Fixed version Not Fixed EPSS Score 0.05% EPSS Percentile 16th percentile Description A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. libxml2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107753) [bookworm] - libxml2 (Minor issue) https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 Affected range >=2.12.7+dfsg+really2.9.14-1 Fixed version Not Fixed EPSS Score 0.01% EPSS Percentile 2nd percentile Description A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. libxml2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107938; unimportant) https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 Crash in CLI tool, no security impact

pam 1.7.0-3 (deb) pkg:deb/debian/pam@1.7.0-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.7.0-3 Fixed version Not Fixed EPSS Score 0.02% EPSS Percentile 5th percentile Description A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions. [experimental] - pam 1.7.0-4 pam 1.7.0-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107919) https://www.openwall.com/lists/oss-security/2025/06/17/1 GHSA-f9p8-gjr4-j9gx Fixed by: linux-pam/linux-pam@475bd60 (v1.7.1) Fixed by: linux-pam/linux-pam@592d84e (v1.7.1) Fixed by: linux-pam/linux-pam@976c200 (v1.7.1) Affected range >=1.7.0-3 Fixed version Not Fixed EPSS Score 0.17% EPSS Percentile 39th percentile Description A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals. pam 1.7.0-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087019) [bookworm] - pam (The vulnerable code was introduced in 1.5.3) [bullseye] - pam (The vulnerable code was introduced in 1.5.3) https://bugzilla.redhat.com/show_bug.cgi?id=2324291 pam_access.so considers tty* names as hostnames linux-pam/linux-pam#834 Introduced in linux-pam/linux-pam@23393be (v1.5.3) Mitigated by: linux-pam/linux-pam@940747f (v1.7.1) Since pam/1.7.0-5 in Debian unstable backports upstream commit to implement the nodns option to allow people to work around #1087019, even though it doesn't fix the root cause.

dpkg 1.22.20 (deb) pkg:deb/debian/dpkg@1.22.20?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.22.20 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 18th percentile Description It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions. dpkg 1.22.21 [bookworm] - dpkg (Minor issue) Fixed by: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82 (main) Fixed by: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=98c623c8d6814ae46a3b30ca22e584c77d47d86b (1.22.21)

libssh 0.11.1-2 (deb) pkg:deb/debian/libssh@0.11.1-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=0.11.1-2 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 12th percentile Description A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior. libssh 0.11.2-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407) [bookworm] - libssh (Minor issue) https://www.libssh.org/security/advisories/CVE-2025-5318.txt Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466 (libssh-0.11.2) Affected range >=0.11.1-2 Fixed version Not Fixed Description libssh 0.11.2-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407) [bookworm] - libssh (Minor issue) https://www.libssh.org/security/advisories/CVE-2025-5372.txt Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 (libssh-0.11.2) Affected range >=0.11.1-2 Fixed version Not Fixed Description libssh 0.11.2-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407) [bookworm] - libssh (Minor issue) https://www.libssh.org/security/advisories/CVE-2025-5351.txt Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256 (libssh-0.11.2) Affected range >=0.11.1-2 Fixed version Not Fixed Description libssh 0.11.2-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407) [bookworm] - libssh (Vulnerable code not present) [bullseye] - libssh (Vulnerable code not present) https://www.libssh.org/security/advisories/CVE-2025-5449.txt Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=261612179f740bc62ba363d98b3bd5e5573a811f (libssh-0.11.2) Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=3443aec90188d6aab9282afc80a81df5ab72c4da (libssh-0.11.2) Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=78485f446af9b30e37eb8f177b81940710d54496 (libssh-0.11.2) Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=f79ec51b7fd519dbc5737a7ba826e3ed093f6ceb (libssh-0.11.2) Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=5504ff40515439a5fecbb17da7483000c4d12eb7 (libssh-0.11.2) Affected range >=0.11.1-2 Fixed version Not Fixed Description libssh 0.11.2-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407) [bookworm] - libssh (Minor issue) https://www.libssh.org/security/advisories/CVE-2025-5987.txt Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57 (libssh-0.11.2) Affected range >=0.11.1-2 Fixed version Not Fixed Description libssh 0.11.2-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407) [bookworm] - libssh (Minor issue) https://www.libssh.org/security/advisories/CVE-2025-4878.txt Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 (libssh-0.11.2) Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb (libssh-0.11.2) Affected range >=0.11.1-2 Fixed version Not Fixed Description libssh 0.11.2-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108407) [bookworm] - libssh (Minor issue) https://www.libssh.org/security/advisories/CVE-2025-4877.txt Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d (libssh-0.11.2)

perl 5.40.1-3 (deb) pkg:deb/debian/perl@5.40.1-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=5.40.1-3 Fixed version Not Fixed EPSS Score 0.02% EPSS Percentile 3rd percentile Description Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6 [experimental] - perl 5.40.1-4 perl 5.40.1-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226) [bookworm] - perl (Minor issue; Perl maintainer will fix it via point release) [bullseye] - perl (Minor issue, revisit when fixed upstream) Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition) Perl/perl5#23010 Fixed by: Perl/perl5@fc8063a (v5.41.13) Fixed by: Perl/perl5@a1327b5 (v5.41.13) Fixed by: Perl/perl5@1f9097b (v5.41.13) Fixed by: Perl/perl5@5c2e757 (v5.41.13) Squashed version of fix (to help backports): Perl/perl5@918bfff https://lists.security.metacpan.org/cve-announce/msg/30017499/ Affected range >=5.40.1-3 Fixed version Not Fixed EPSS Score 0.81% EPSS Percentile 73rd percentile Description _is_safe in the File::Temp module for Perl does not properly handle symlinks. perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268) http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14

ncurses 6.5+20250216-2 (deb) pkg:deb/debian/ncurses@6.5%2B20250216-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=6.5+20250216-2 Fixed version Not Fixed EPSS Score 0.01% EPSS Percentile 2nd percentile Description A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. ncurses (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107937) [bookworm] - ncurses (Minor issue) [bullseye] - ncurses (Minor issue) https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html https://invisible-island.net/ncurses/NEWS.html#index-t20250329

glibc 2.41-9 (deb) pkg:deb/debian/glibc@2.41-9?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-9 Fixed version Not Fixed EPSS Score 0.16% EPSS Percentile 38th percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern glibc (unimportant) eglibc (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=24269 Affected range >=2.41-9 Fixed version Not Fixed EPSS Score 0.23% EPSS Percentile 47th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22853 Affected range >=2.41-9 Fixed version Not Fixed EPSS Score 0.38% EPSS Percentile 58th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22852 Affected range >=2.41-9 Fixed version Not Fixed EPSS Score 0.70% EPSS Percentile 71st percentile Description GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851 Affected range >=2.41-9 Fixed version Not Fixed EPSS Score 0.14% EPSS Percentile 36th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850 Affected range >=2.41-9 Fixed version Not Fixed EPSS Score 2.00% EPSS Percentile 83rd percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. glibc (unimportant) eglibc (unimportant) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions Affected range >=2.41-9 Fixed version Not Fixed EPSS Score 0.37% EPSS Percentile 58th percentile Description The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. glibc (unimportant) eglibc (unimportant) That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves

openldap 2.6.10+dfsg-1 (deb) pkg:deb/debian/openldap@2.6.10%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.6.10+dfsg-1 Fixed version Not Fixed EPSS Score 0.37% EPSS Percentile 58th percentile Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.6.10+dfsg-1 Fixed version Not Fixed EPSS Score 2.84% EPSS Percentile 86th percentile Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.6.10+dfsg-1 Fixed version Not Fixed EPSS Score 0.11% EPSS Percentile 31st percentile Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.6.10+dfsg-1 Fixed version Not Fixed EPSS Score 2.37% EPSS Percentile 84th percentile Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

systemd 257.6-1 (deb) pkg:deb/debian/systemd@257.6-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=257.6-1 Fixed version Not Fixed EPSS Score 0.09% EPSS Percentile 28th percentile Description An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.6-1 Fixed version Not Fixed EPSS Score 0.10% EPSS Percentile 29th percentile Description An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.6-1 Fixed version Not Fixed EPSS Score 0.13% EPSS Percentile 33rd percentile Description An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.6-1 Fixed version Not Fixed EPSS Score 0.07% EPSS Percentile 23rd percentile Description systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) https://bugzilla.redhat.com/show_bug.cgi?id=859060 only relevant to systems running systemd along with selinux

krb5 1.21.3-5 (deb) pkg:deb/debian/krb5@1.21.3-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.08% EPSS Percentile 25th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.15% EPSS Percentile 37th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.46% EPSS Percentile 63rd percentile Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

libgcrypt20 1.11.0-7 (deb) pkg:deb/debian/libgcrypt20@1.11.0-7?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.11.0-7 Fixed version Not Fixed EPSS Score 0.22% EPSS Percentile 45th percentile Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.11.0-7 Fixed version Not Fixed EPSS Score 1.27% EPSS Percentile 79th percentile Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

coreutils 9.7-3 (deb) pkg:deb/debian/coreutils@9.7-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.02% EPSS Percentile 2nd percentile Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 17th percentile Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

shadow 1:4.17.4-2 (deb) pkg:deb/debian/shadow@1:4.17.4-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1:4.17.4-2 Fixed version Not Fixed EPSS Score 2.87% EPSS Percentile 86th percentile Description shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. shadow (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103832) [bookworm] - shadow (Minor issue) [bullseye] - shadow (Minor issue, disputed, no upstream patch) Default subordinate ID configuration in /etc/login.defs could lead to compromise shadow-maint/shadow#1157 Affected range >=1:4.17.4-2 Fixed version Not Fixed EPSS Score 0.25% EPSS Percentile 48th percentile Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures

tar 1.35+dfsg-3.1 (deb) pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 2.81% EPSS Percentile 86th percentile Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

gnutls28 3.8.9-2 (deb) pkg:deb/debian/gnutls28@3.8.9-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.8.9-2 Fixed version Not Fixed EPSS Score 6.93% EPSS Percentile 91st percentile Description The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. sun-java6 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) openjdk-6 6b23~pre11-1 openjdk-7 7~b147-2.0-1 iceweasel (Vulnerable code not present) http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser lighttpd 1.4.30-1 strictly speaking this is no lighttpd issue, but lighttpd adds a workaround curl 7.24.0-1 http://curl.haxx.se/docs/adv_20120124B.html python2.6 2.6.8-0.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684511) [squeeze] - python2.6 (Minor issue) python2.7 2.7.3~rc1-1 python3.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678998) [squeeze] - python3.1 (Minor issue) python3.2 3.2.3~rc1-1 http://bugs.python.org/issue13885 python3.1 is fixed starting 3.1.5 cyassl gnutls26 (unimportant) gnutls28 (unimportant) No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0 haskell-tls (unimportant) No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2 matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) matrixssl fix this upstream in 3.2.2 bouncycastle 1.49+dfsg-1 [squeeze] - bouncycastle (Minor issue) [wheezy] - bouncycastle (Minor issue) No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9 nss 3.13.1.with.ckbi.1.88-1 https://bugzilla.mozilla.org/show_bug.cgi?id=665814 https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab polarssl (unimportant) No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases tlslite [wheezy] - tlslite (Minor issue) pound 2.6-2 Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks. erlang 1:15.b-dfsg-1 [squeeze] - erlang (Minor issue) asterisk 1:13.7.2dfsg-1 [jessie] - asterisk 1:11.13.1dfsg-2+deb8u1 [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) http://downloads.digium.com/pub/security/AST-2016-001.html https://issues.asterisk.org/jira/browse/ASTERISK-24972 patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4 all versions vulnerable, backport required for wheezy

glib2.0 2.84.3-1 (deb) pkg:deb/debian/glib2.0@2.84.3-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.84.3-1 Fixed version Not Fixed EPSS Score 0.49% EPSS Percentile 65th percentile Description GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application. glib2.0 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044)

gnupg2 2.4.7-21 (deb) pkg:deb/debian/gnupg2@2.4.7-21?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.4.7-21 Fixed version Not Fixed EPSS Score 0.01% EPSS Percentile 1st percentile Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

util-linux 2.41-5 (deb) pkg:deb/debian/util-linux@2.41-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-5 Fixed version Not Fixed EPSS Score 0.03% EPSS Percentile 5th percentile Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

openssl 3.5.0-2 (deb) pkg:deb/debian/openssl@3.5.0-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.2.1-3 Fixed version Not Fixed EPSS Score 0.10% EPSS Percentile 28th percentile Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

sqlite3 3.46.1-6 (deb) pkg:deb/debian/sqlite3@3.46.1-6?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.46.1-6 Fixed version Not Fixed EPSS Score 0.17% EPSS Percentile 39th percentile Description A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect. sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974) sqlite (unimportant) https://github.com/guyinatuxedo/sqlite3_record_leaking https://bugzilla.redhat.com/show_bug.cgi?id=2054793 https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e Negligible security impact

hiredis 1.2.0-6 (deb) pkg:deb/debian/hiredis@1.2.0-6?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.2.0-6 Fixed version Not Fixed EPSS Score 0.01% EPSS Percentile 1st percentile Description Buffer Overflow in hiredis 1.2.0 allows a local attacker to cause a denial of service via the sdscatlen function. REJECTED

cjson 1.7.18-3 (deb) pkg:deb/debian/cjson@1.7.18-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.7.18-3 Fixed version Not Fixed EPSS Score 0.03% EPSS Percentile 7th percentile Description cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}. cjson 1.7.18-3.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103687) [bookworm] - cjson (Minor issue) https://github.com/boofish/json_bugs/tree/main/cjson Fixed by: DaveGamble/cJSON@a328d65