HCE2-SA-2024-0338 Important HCE 2.0 Security Fix(es): A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the _x27;evil_x27; the attacker could mimic a valid TuneD log line and trick the administrator. The quotes _x27;_x27; are usually used in TuneD logs citing raw user input, so there will always be the _x27; character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned_x27;s D-Bus interface for such operations. (CVE-2024-52337) A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation. (CVE-2024-52336) HCE 2.0 tuned-2.24.1-1.hce2.noarch.rpm tuned-help-2.24.1-1.hce2.noarch.rpm tuned-profiles-devel-2.24.1-1.hce2.noarch.rpm