1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202505-05 ] Orc: Arbitrary Code Execution

    From glsamaker@gentoo.org@21:1/5 to All on Mon May 12 14:50:01 2025
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202505-05
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: Orc: Arbitrary Code Execution
    Date: May 12, 2025
    Bugs: #937127
    ID: 202505-05

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Orc, which can lead to arbitrary
    code execution

    Background
    ==========

    Orc is a library and set of tools for compiling and executing
    very simple programs that operate on arrays of data. The "language"
    is a generic assembly language that represents many of the features
    available in SIMD architectures, including saturated addition and
    subtraction, and many arithmetic operations.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------ ------------ ------------
    dev-lang/orc < 0.4.40 >= 0.4.40

    Description
    ===========

    Please review the CVE identifier referenced below for details.

    Impact
    ======

    It is possible for a malicious third party to trigger a buffer overflow
    and effect code execution with the same privileges as the orc compiler
    is called with by feeding it with malformed orc source files.

    This only affects developers and CI environments using orcc, not users
    of liborc.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Orc users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-lang/orc-0.4.40"

    References
    ==========

    [ 1 ] CVE-2024-40897
    https://nvd.nist.gov/vuln/detail/CVE-2024-40897

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202505-05

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2025 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmgh7BoACgkQFMQkOaVy +9nJuA//X19SuP4mXAg/OdajRF0Tyrigm31nRM9538lB1/jfGzyjCUFS7v8njoT0 Jfu3nK1h5us62ZJIkKCyDjD1idF7YMUzGPyzumu7Ec1TiRpFbzSK5BzSH/Tm2O3V ZTeMDbWYxSzbgjnJscMlqizvhnEYJGSuGB0aU6B7NTOd6fd0xRMlvH2PmG19TYTo riyMKDLY8WtflDEZs/rtSeuLgczoIZEetG3sK1MQsGLWMxdPZny0g/yw8be5rvTc inewt5pxhUQmriGo/oY2Pr/k8K7kOPA/OpIeotx7QEGWEzz0PtjnF9evI9PjKXFc g/k6jk8KwnXS3WsHQfHvH6s2l20LLSC5Oe+ymY/pFwNckByNklK7C8zzeX1SSkrC kP2adXrlrqMpidy6fIeOxSthwEgVa2/Q8fyHUqJ4qKttpr43LlSxJhn28Zny2aAd SI1FYQYJtSHoCsJfuQmslSLmFFUrzmiXiC0mogVzrfiGhXoImzV+YO5vwEKe/bVQ WYv5T/JamuLRKJqxstChKw4nxzy99MKAVzYcj2N+P6lynTClWEOnWUYHHd6Vx1J0 7MBtL6PRmGH0OumW+jKrHQmqzOwVvVBTebE4RbykqycUvHG0bDhYC9wkoYuoxrBf jCwgvcomzzz4ktf9sruBmEUw7KM3hzqXmg0PadnYOs1ROOiQ5As=
    =3656
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)