OESA-2024-2530

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2530

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2024-2530.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2024-2530

Upstream

CVE-2024-52336

CVE-2024-52337

Published

2024-12-06T15:26:12Z

Modified

2025-09-03T06:20:36.795476Z

Summary

tuned security update

Details

Tuned is a daemon that uses udev to monitor connected devices and statically and dynamically tunes system settings according to a selected profile. It is distributed with a number of predefined profiles for common use cases like high throughput, low latency, or powersave, and allows you to further alter the rules defined for each profile and customize how to tune a particular device. To revert all changes made to the system settings by a certain profile, you can either switch to another profile or deactivate the tuned daemon.

Security Fix(es):

A script injection vulnerability was identified in the Tuned package. The instance_create() D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with script_pre or script_post options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.(CVE-2024-52336)

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, tuned-adm get_instances or other third-party programs that use Tuned's D-Bus interface for such operations.(CVE-2024-52337)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:22.03-LTS-SP3 / tuned

Package

Name: tuned
Purl: pkg:rpm/openEuler/tuned&distro=openEuler-22.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.24.1-1.oe2203sp3

Ecosystem specific

{
    "noarch": [
        "tuned-2.24.1-1.oe2203sp3.noarch.rpm",
        "tuned-help-2.24.1-1.oe2203sp3.noarch.rpm",
        "tuned-profiles-devel-2.24.1-1.oe2203sp3.noarch.rpm"
    ],
    "src": [
        "tuned-2.24.1-1.oe2203sp3.src.rpm"
    ]
}

openEuler:20.03-LTS-SP4 / tuned

Package

Name: tuned
Purl: pkg:rpm/openEuler/tuned&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.24.1-1.oe2003sp4

Ecosystem specific

{
    "noarch": [
        "tuned-2.24.1-1.oe2003sp4.noarch.rpm",
        "tuned-help-2.24.1-1.oe2003sp4.noarch.rpm",
        "tuned-profiles-devel-2.24.1-1.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "tuned-2.24.1-1.oe2003sp4.src.rpm"
    ]
}

openEuler:22.03-LTS-SP1 / tuned

Package

Name: tuned
Purl: pkg:rpm/openEuler/tuned&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.24.1-1.oe2203sp1

Ecosystem specific

{
    "noarch": [
        "tuned-2.24.1-1.oe2203sp1.noarch.rpm",
        "tuned-help-2.24.1-1.oe2203sp1.noarch.rpm",
        "tuned-profiles-devel-2.24.1-1.oe2203sp1.noarch.rpm"
    ],
    "src": [
        "tuned-2.24.1-1.oe2203sp1.src.rpm"
    ]
}

openEuler:24.03-LTS / tuned

Package

Name: tuned
Purl: pkg:rpm/openEuler/tuned&distro=openEuler-24.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.24.1-1.oe2403

Ecosystem specific

{
    "noarch": [
        "tuned-2.24.1-1.oe2403.noarch.rpm",
        "tuned-help-2.24.1-1.oe2403.noarch.rpm",
        "tuned-profiles-devel-2.24.1-1.oe2403.noarch.rpm"
    ],
    "src": [
        "tuned-2.24.1-1.oe2403.src.rpm"
    ]
}

openEuler:22.03-LTS-SP4 / tuned

Package

Name: tuned
Purl: pkg:rpm/openEuler/tuned&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.24.1-1.oe2203sp4

Ecosystem specific

{
    "noarch": [
        "tuned-2.24.1-1.oe2203sp4.noarch.rpm",
        "tuned-help-2.24.1-1.oe2203sp4.noarch.rpm",
        "tuned-profiles-devel-2.24.1-1.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "tuned-2.24.1-1.oe2203sp4.src.rpm"
    ]
}