Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

输入验证不恰当

tuned 安全漏洞

tuned是tuned开源的一款动态系统调优工具的服务端程序。该程序主要用于监控和收集系统各个组件的数据，并依据数据提供的信息动态调整系统设置。 tuned存在安全漏洞，该漏洞源于对某些API参数的清理不当，Tuned软件包中发现了日志欺骗漏洞。

N/A

N/A