AFLplusplus: Arbitrary Code Execution — GLSA 202408-27

A vulnerability has been discovered in AFLplusplus, which can lead to arbitrary code execution via an untrusted CWD.

Affected packages

app-forensics/aflplusplus on all architectures
Affected versions < 4.06c
Unaffected versions >= 4.06c

Background

The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!

Description

In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.

Impact

In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.

Workaround

There is no known workaround at this time.

Resolution

All AFLplusplus users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-forensics/aflplusplus-4.06c"
 

References

Release date
August 11, 2024

Latest revision
August 11, 2024: 1

Severity
normal

Exploitable
local

Bugzilla entries