flatcar · flatcar-infra · Jun 1, 2025
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 596980 BLAKE2B eddb25532154bba44bb35623eb68543626c56c08b4a9b70673d678e12e2e9d223dee9cf4d0203ab7966bfde59e62bbac75b407365fffaffd689f74499226bdef SHA512 63607f6c6d89e0de89c2ed0d49a183cf3ebf144547b6b6c3a675072d222d42a76895e60d6f7b099c2762d742420925f50f5f0705f64f212c92b5228a8c6aac91
-TIMESTAMP 2025-05-01T06:40:34Z
+MANIFEST Manifest.files.gz 598731 BLAKE2B a123a1f501b9be6c59feffa8b43671d5335b382f4b84aa603f3d15893b45a6086a5a70f86be61d8ea32bb8de2a67e35e334f33fcf58bab7db4e23c13e979ce4d SHA512 cbd4d498b4c86dcefe73be854ac45a943cd3c6f816dc6fbe600e09012c372bed7bc821a0065f103f69d153506ed854c91b2f733b93bdc5d36f8322f3e1dddfab
+TIMESTAMP 2025-06-01T06:40:37Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmgTF2JfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmg79eVfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klDRMQ/+PAi2qYoR0sip4LFgbYOupfpmsR8tU5KJ1/74lCyKWzBeJXLv6ZpzzUfQ
-/zdiT7LTQTI/S+rLzGZ9iuru+SDj+TmSaqqe3/V47EMXrIUMQmi2/wpv4Xdz6SZv
-vaIEnBvxy7AcER2kd3SjuP7oqh49lY3M8lSxGzDcyLuKLMtA0GruuXoOHK8Kc32p
-e4MTmHiysNkwQ48mxpogteDz6UzMDz69H+RidhBJLcXj+VNi69jmLFUUWJ0WlINK
-BScxduFU4NdYew2iDUFohVSAvLshHnpWUg/S6WlJo1Kf7XSjROBnuNxbrHrRfBRh
-m4mx1fdXE73jM7QOpyx+BflrOEBmvrsGC2WJpI+YU5HmhRldkq9I1+amcPJEx/WD
-8lTul44UWczfeDxOjVSwQ4Ez0a3YzGxtvo/6aT/P/8u6lxZwXC73F4vPe9B/qQDn
-tCVkS4kDfMQf3zUlypFo3ny6eF54AcWzaT6XDIYVYJD1aSMXXqHhoffznAFB9Tjd
-gmYAjCPk/6Oi7WPKEg+TryBnQLv9GEL7TRpQDAAMf0vc8OXwsJbEfS1HO8msMjA7
-+q4SVTPh7y9uKR62hu9MLuEXBxm3w4fS+U8e+62SVPIqwFsa5Q92Sh98AOPjK9yY
-ViFNSQ0SCOaoWbmk9YFaC7JywXnlIXpD7si1W5a4hQ9aIF+qLqs=
-=4GyX
+klAGUQ/9Fv/2zVWg3XQg3WRE6NXq4ZOx6laMZFPX+JnhrfyPURTBZNFgFxLhZmq9
+7i2nZ48Q4oX2pHM0BQJ9Kkmpb/+JxOmm6ndRrX9TIqI+dQiB87SRcz7N+uCtC57j
+yFyEN6szKGSERuuCRI/NDQurxN9gWpGzraukfGmJ/Z8KifFMKSRhntjy2EdT7txb
+L9nBGrpziJCuLbamA1BZaHW8LXtKoo+YQbFMul1DKN603JfL8cWBM1xWfkwlDK0Z
+Bj55FFy7lIMZqfS7toUqKY1wGophf3wAtHAp+O8J8kUNmrqTAHFgz5qU7Db8DZf3
+62AcphUqFo0YQRU+Q0oMZywxIslXbzjseLlGf2BinMATLVgSqlE4InlrUewkHIFg
+UBNqSipEhCq36Do99ku7aX3YpoS/UwS9L3YqSsIu3B0aNzd6ehbTdWVIgqlRhLip
+rWQPOSJLIn7CbSNVWST/TYOOOU4KSWXamsGH4tA5vFxjB9dwPpf6P9y8SOtjm7LZ
+gdxt1WrYto1pS/ugQevFMPFLj3CFkVxDVfATdQvTkV1JIAABw3VucGocTg94RUV6
+aj+0R5M2/nGRsPI9ByU8er/b9dV6qJh5U6MIUyxSWXgtMqBcvMSvYqyuZO/bOjHr
+NsotXbeYfj/gTvK5vQ0ZY8u5C5LDt5du5XdKK+B7csCZOVofBxA=
+=UP7i
 -----END PGP SIGNATURE-----
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-01.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202505-01">
+    <title>PAM: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in PAM, the worst of which could lead to password leakage.</synopsis>
+    <product type="ebuild">pam</product>
+    <announced>2025-05-12</announced>
+    <revised count="1">2025-05-12</revised>
+    <bug>922397</bug>
+    <bug>942075</bug>
+    <access>remote</access>
+    <affected>
+        <package name="sys-libs/pam" auto="yes" arch="*">
+            <unaffected range="ge">1.7.0_p20241230</unaffected>
+            <vulnerable range="lt">1.7.0_p20241230</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>PAM (Pluggable Authentication Modules) is an architecture allowing the separation of the development of privilege granting software from the development of secure and appropriate authentication schemes.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in PAM. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All PAM users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-libs/pam-1.7.0_p20241230"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10041">CVE-2024-10041</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-05-12T06:55:41.605140Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-05-12T06:55:41.608795Z">graaff</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-02.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-02.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202505-02">
+    <title>Mozilla Firefox: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">firefox,firefox-bin</product>
+    <announced>2025-05-12</announced>
+    <revised count="1">2025-05-12</revised>
+    <bug>951563</bug>
+    <bug>953021</bug>
+    <access>remote</access>
+    <affected>
+        <package name="www-client/firefox" auto="yes" arch="*">
+            <unaffected range="ge" slot="stable">137.0.1</unaffected>
+            <unaffected range="ge" slot="esr">128.9.0</unaffected>
+            <vulnerable range="lt" slot="stable">137.0.1</vulnerable>
+            <vulnerable range="lt" slot="esr">128.9.0</vulnerable>
+        </package>
+        <package name="www-client/firefox-bin" auto="yes" arch="*">
+            <unaffected range="ge" slot="stable">137.0.1</unaffected>
+            <unaffected range="ge" slot="esr">128.9.0</unaffected>
+            <vulnerable range="lt" slot="stable">137.0.1</vulnerable>
+            <vulnerable range="lt" slot="esr">128.9.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Mozilla Firefox users should upgrade to the latest version in their release channel:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-137.0.1:rapid"
+          # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-128.9.0:esr"
+        </code>
+
+        <p>All Mozilla Firefox users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=www-client/firefox-137.0.1:rapid"
+          # emerge --ask --oneshot --verbose ">=www-client/firefox-128.9.0:esr"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-43097">CVE-2024-43097</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1931">CVE-2025-1931</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1932">CVE-2025-1932</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1933">CVE-2025-1933</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1934">CVE-2025-1934</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1935">CVE-2025-1935</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1936">CVE-2025-1936</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1937">CVE-2025-1937</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1938">CVE-2025-1938</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1941">CVE-2025-1941</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1942">CVE-2025-1942</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1943">CVE-2025-1943</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3028">CVE-2025-3028</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3029">CVE-2025-3029</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3030">CVE-2025-3030</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3031">CVE-2025-3031</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3032">CVE-2025-3032</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3034">CVE-2025-3034</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3035">CVE-2025-3035</uri>
+        <uri>MFSA2025-14</uri>
+        <uri>MFSA2025-16</uri>
+        <uri>MFSA2025-18</uri>
+        <uri>MFSA2025-20</uri>
+        <uri>MFSA2025-22</uri>
+        <uri>MFSA2025-23</uri>
+        <uri>MFSA2025-24</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-05-12T08:06:29.059257Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-05-12T08:06:29.061692Z">graaff</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-03.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-03.xml
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202505-03">
+    <title>Mozilla Thunderbird: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution.</synopsis>
+    <product type="ebuild">thunderbird,thunderbird-bin</product>
+    <announced>2025-05-12</announced>
+    <revised count="1">2025-05-12</revised>
+    <bug>945051</bug>
+    <bug>948114</bug>
+    <bug>951564</bug>
+    <bug>953022</bug>
+    <access>remote</access>
+    <affected>
+        <package name="mail-client/thunderbird" auto="yes" arch="*">
+            <unaffected range="ge">128.9.0</unaffected>
+            <vulnerable range="lt">128.9.0</vulnerable>
+        </package>
+        <package name="mail-client/thunderbird-bin" auto="yes" arch="*">
+            <unaffected range="ge">128.9.0</unaffected>
+            <vulnerable range="lt">128.9.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-128.9.0"
+        </code>
+
+        <p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-128.9.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11692">CVE-2024-11692</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11694">CVE-2024-11694</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11695">CVE-2024-11695</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11696">CVE-2024-11696</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11697">CVE-2024-11697</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11699">CVE-2024-11699</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11700">CVE-2024-11700</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11701">CVE-2024-11701</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11704">CVE-2024-11704</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11705">CVE-2024-11705</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11706">CVE-2024-11706</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11708">CVE-2024-11708</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-43097">CVE-2024-43097</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-50336">CVE-2024-50336</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0237">CVE-2025-0237</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0238">CVE-2025-0238</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0239">CVE-2025-0239</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0240">CVE-2025-0240</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0241">CVE-2025-0241</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0242">CVE-2025-0242</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0243">CVE-2025-0243</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1931">CVE-2025-1931</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1932">CVE-2025-1932</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1933">CVE-2025-1933</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1934">CVE-2025-1934</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1935">CVE-2025-1935</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1936">CVE-2025-1936</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1937">CVE-2025-1937</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-1938">CVE-2025-1938</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3028">CVE-2025-3028</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3029">CVE-2025-3029</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3030">CVE-2025-3030</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3031">CVE-2025-3031</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3032">CVE-2025-3032</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-3034">CVE-2025-3034</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-26695">CVE-2025-26695</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-26696">CVE-2025-26696</uri>
+        <uri>MFSA2024-63</uri>
+        <uri>MFSA2024-64</uri>
+        <uri>MFSA2024-65</uri>
+        <uri>MFSA2024-67</uri>
+        <uri>MFSA2024-68</uri>
+        <uri>MFSA2025-01</uri>
+        <uri>MFSA2025-02</uri>
+        <uri>MFSA2025-05</uri>
+        <uri>MFSA2025-14</uri>
+        <uri>MFSA2025-16</uri>
+        <uri>MFSA2025-18</uri>
+        <uri>MFSA2025-20</uri>
+        <uri>MFSA2025-22</uri>
+        <uri>MFSA2025-23</uri>
+        <uri>MFSA2025-24</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-05-12T09:13:59.331961Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-05-12T09:13:59.334292Z">graaff</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-04.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202505-04">
+    <title>NVIDIA Drivers: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in NVIDIA Drivers, the worst of which could result in arbitrary code execution.</synopsis>
+    <product type="ebuild">nvidia-drivers</product>
+    <announced>2025-05-12</announced>
+    <revised count="1">2025-05-12</revised>
+    <bug>954339</bug>
+    <access>local</access>
+    <affected>
+        <package name="x11-drivers/nvidia-drivers" auto="yes" arch="*">
+            <unaffected range="ge">535.247.01</unaffected>
+            <unaffected range="ge">550.163.01</unaffected>
+            <unaffected range="ge">570.133.07</unaffected>
+            <vulnerable range="lt">535.247.01</vulnerable>
+            <vulnerable range="lt">550.163.01</vulnerable>
+            <vulnerable range="lt">570.133.07</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>NVIDIA Drivers are NVIDIA&#39;s accelerated graphics driver.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in NVIDIA Drivers. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifier for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All NVIDIA Drivers 535 users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-535.247.01:0/535"
+        </code>
+
+        <p>All NVIDIA Drivers 550 users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-550.163.01:0/550"
+        </code>
+
+        <p>All NVIDIA Drivers 570 users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-570.133.07:0/570"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-23244">CVE-2025-23244</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-05-12T10:30:38.991890Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-05-12T10:30:38.996472Z">graaff</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-05.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202505-05.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202505-05">
+    <title>Orc: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been discovered in Orc, which can lead to arbitrary code execution</synopsis>
+    <product type="ebuild">orc</product>
+    <announced>2025-05-12</announced>
+    <revised count="1">2025-05-12</revised>
+    <bug>937127</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-lang/orc" auto="yes" arch="*">
+            <unaffected range="ge">0.4.40</unaffected>
+            <vulnerable range="lt">0.4.40</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Orc is a library and set of tools for compiling and executing
+very simple programs that operate on arrays of data.  The &#34;language&#34;
+is a generic assembly language that represents many of the features
+available in SIMD architectures, including saturated addition and
+subtraction, and many arithmetic operations.</p>
+    </background>
+    <description>
+        <p>Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>It is possible for a malicious third party to trigger a buffer overflow and effect code execution with the same privileges as the orc compiler is called with by feeding it with malformed orc source files.
+
+This only affects developers and CI environments using orcc, not users of liborc.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Orc users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-lang/orc-0.4.40"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-40897">CVE-2024-40897</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-05-12T12:39:16.601801Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-05-12T12:39:16.605879Z">graaff</metadata>
+</glsa>