Vulnerablia in Librecad, Ruby, TensorFlow, Mailman and Vim

Several recently identified vulnerabilities:

  • Three vulnerabilities in the free system of automated design librecad and library libdxfrw , allowing you to initiate a controlled buffer overflow and potentially Provided to perform your code when opening specially decorated files in DWG and DXF formats. Problems are eliminated so far only in the form of patches ( CVE-2021-21898 , CVE-2021-21899 , CVE-2021-21900 ).
  • Vulnerability (CVE-2021-41817) in the Date.Parse method, provided In the standard Ruby Library. Flares in regular expressions used to parse dates in the DATE.PARSE method can be used to perform DOS attacks leading to consumption of significant CPU resources and memory spending when processing specially decorated data.
  • Vulnerability in TensorFlow Machine Training Platform (CVE-2021-41228 ), allowing you to execute your code when processing the SAVED_MODEL_CLI utility of the attacker data transmitted via the “–input_examples” parmeter. The problem is caused by using external data when calling the code “EVAL” function. The problem is eliminated in releases TensorFlow 2.7.0, TensorFlow 2.6.1, TensorFlow 2.5.2 and TensorFlow 2.4.4.
  • vulnerability (Cve-2021-43331 ) In the GNU Mailman mailbox control system, caused by the incorrect processing of some types of URLs. The problem allows you to organize the execution of the JavaScript code through the specification of a specially decorated URL on the page with the settings. Mailman also revealed another problem ( CVE-2021-43332 ), allowing the user with the moderator’s rights to choose the administrator password . Problems are eliminated in the release of Mailman 2.1.36.
  • series of vulnerabilities in the VIM text editor, which can lead to buffer overflow and potentially perform the attacker code when opening specially decorated files through the “-S” option ( CVE-2021-3903 , CVE- 2021-3872 , CVE-2021-3927 , cve-2021-3928 , corrections – 1
/Media reports.