Two Vulnerabilities to be Found at SDL

Two of six serious vulnerabilities in this cross-platform multimedia library create conditions for remote code execution.
04 July 2019   873

The SDL (Simple Direct Layer) library set, which provides tools for hardware accelerated 2D and 3D graphics rendering, input processing, audio playback, 3D output via OpenGL / OpenGL ES, and many other related operations, revealed 6 vulnerabilities. Including in the SDL2_image library, two problems have been discovered that allow organizing remote code execution in the system. Attacks can be made on applications that use SDL to load images.

Both vulnerabilities (CVE-2019-5051, CVE-2019-5051) are present in the IMG_LoadPCX_RW function and are caused by the lack of the necessary error handler and integer overflow that can be exploited through the transfer of a specially crafted PCX file. Issues have already been fixed in the SDL_image 2.0.5 release. Information about the remaining 4 vulnerabilities has not yet been disclosed.

Vulnerabilities were found by Talos, so you can find more info at their website.

GNU Rush 2.0 to be Available

Rush is created for systems with limited remote access, so, for example, it can be used to remotely launch programs in a chroot environment
03 July 2019   884

GNU Rush 2.0 (Restricted User Shell), designed for use in systems with reduced remote access, which require restriction of user actions, is released. Rush makes it possible to determine which command line functions a user can use and what resources are provided to him (memory size, processor time, etc.).

For example, Rush can be used to remotely launch programs in a chroot environment, which helps increase security when providing access through programs such as sftp-server or scp, which by default have access to the entire file system. Another useful feature of Rush is to support sending a notification to another process about the end of a user session via a network or Unix socket. All connections through Rush are tracked and logged. To view a list of active users and their connection history, rushwho and rushlast utilities are offered.

In the new release, the configuration processing code has been completely rewritten and a new syntax of the file with the settings has been proposed (the old syntax support has been retained for backward compatibility). The new syntax offers new control structures and processing instructions for various operations.