Gnome: Security Vulnerabilities
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
CVSS Score
6.5
EPSS Score
0.013
Published
2020-02-02
NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-01-27
GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.
CVSS Score
5.9
EPSS Score
0.006
Published
2020-01-09
In NetworkManager 0.9.2.0, when a new wireless network was created with WPA/WPA2 security in AdHoc mode, it created an open/insecure network.
CVSS Score
4.4
EPSS Score
0.001
Published
2019-12-26
gnome-keyring does not discard stored secrets when using gnome_keyring_lock_all_sync function
CVSS Score
7.5
EPSS Score
0.004
Published
2019-12-20
Orca has arbitrary code execution due to insecure Python module load
CVSS Score
7.3
EPSS Score
0.002
Published
2019-12-11
When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect an upstream release, but affects certain Linux distribution packages with version numbers such as 0.97.3.
CVSS Score
5.5
EPSS Score
0.002
Published
2019-11-29
In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.34.0, there is a NULL pointer dereference while parsing a TTF font file that lacks a name section (due to a g_strconcat call that returns NULL).
CVSS Score
5.5
EPSS Score
0.003
Published
2019-11-27
evolution-data-server3 3.0.3 through 3.2.1 used insecure (non-SSL) connection when attempting to store sent email messages into the Sent folder, when the Sent folder was located on the remote server. An attacker could use this flaw to obtain login credentials of the victim.
CVSS Score
7.3
EPSS Score
0.002
Published
2019-11-25
gnome-system-log polkit policy allows arbitrary files on the system to be read
CVSS Score
7.5
EPSS Score
0.005
Published
2019-11-25