Vulnerabilities

Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers.

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library

Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to perform a denial-of-service (DoS) attacks via a crafted XML-RPC request.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Enhance sanity check while generating attr_list<br /> <br /> ni_create_attr_list uses WARN_ON to catch error cases while generating<br /> attribute list, which only prints out stack trace and may not be enough.<br /> This repalces them with more proper error handling flow.<br /> <br /> [ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e<br /> [ 59.673268] #PF: supervisor read access in kernel mode<br /> [ 59.678354] #PF: error_code(0x0000) - not-present page<br /> [ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0<br /> [ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI<br /> [ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4<br /> [ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> [ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860<br /> [ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8<br /> [ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282<br /> [ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe<br /> [ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0<br /> [ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9<br /> [ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180<br /> [ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050<br /> [ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000<br /> [ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0<br /> [ 59.787607] Call Trace:<br /> [ 59.790271] <br /> [ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10<br /> [ 59.797235] ? kernel_text_address+0xd3/0xe0<br /> [ 59.800856] ? unwind_get_return_address+0x3e/0x60<br /> [ 59.805101] ? __kasan_check_write+0x18/0x20<br /> [ 59.809296] ? preempt_count_sub+0x1c/0xd0<br /> [ 59.813421] ni_ins_attr_ext+0x52c/0x5c0<br /> [ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10<br /> [ 59.821926] ? __vfs_setxattr+0x121/0x170<br /> [ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300<br /> [ 59.829562] ? __vfs_setxattr_locked+0x145/0x170<br /> [ 59.833987] ? vfs_setxattr+0x137/0x2a0<br /> [ 59.836732] ? do_setxattr+0xce/0x150<br /> [ 59.839807] ? setxattr+0x126/0x140<br /> [ 59.842353] ? path_setxattr+0x164/0x180<br /> [ 59.845275] ? __x64_sys_setxattr+0x71/0x90<br /> [ 59.848838] ? do_syscall_64+0x3f/0x90<br /> [ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> [ 59.857046] ? stack_depot_save+0x17/0x20<br /> [ 59.860299] ni_insert_attr+0x1ba/0x420<br /> [ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10<br /> [ 59.867069] ? preempt_count_sub+0x1c/0xd0<br /> [ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50<br /> [ 59.874088] ? __create_object+0x3ae/0x5d0<br /> [ 59.877865] ni_insert_resident+0xc4/0x1c0<br /> [ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10<br /> [ 59.886355] ? kasan_save_alloc_info+0x1f/0x30<br /> [ 59.891117] ? __kasan_kmalloc+0x8b/0xa0<br /> [ 59.894383] ntfs_set_ea+0x90d/0xbf0<br /> [ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10<br /> [ 59.901011] ? kernel_text_address+0xd3/0xe0<br /> [ 59.905308] ? __kernel_text_address+0x16/0x50<br /> [ 59.909811] ? unwind_get_return_address+0x3e/0x60<br /> [ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10<br /> [ 59.920250] ? arch_stack_walk+0xa2/0x100<br /> [ 59.924560] ? filter_irq_stacks+0x27/0x80<br /> [ 59.928722] ntfs_setxattr+0x405/0x440<br /> [ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10<br /> [ 59.936634] ? kvmalloc_node+0x2d/0x120<br /> [ 59.940378] ? kasan_save_stack+0x41/0x60<br /> [ 59.943870] ? kasan_save_stack+0x2a/0x60<br /> [ 59.947719] ? kasan_set_track+0x29/0x40<br /> [ 59.951417] ? kasan_save_alloc_info+0x1f/0x30<br /> [ 59.955733] ? __kasan_kmalloc+0x8b/0xa0<br /> [ 59.959598] ? __kmalloc_node+0x68/0x150<br /> [ 59.963163] ? kvmalloc_node+0x2d/0x120<br /> [ 59.966490] ? vmemdup_user+0x2b/0xa0<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> workqueue: fix data race with the pwq-&gt;stats[] increment<br /> <br /> KCSAN has discovered a data race in kernel/workqueue.c:2598:<br /> <br /> [ 1863.554079] ==================================================================<br /> [ 1863.554118] BUG: KCSAN: data-race in process_one_work / process_one_work<br /> <br /> [ 1863.554142] write to 0xffff963d99d79998 of 8 bytes by task 5394 on cpu 27:<br /> [ 1863.554154] process_one_work (kernel/workqueue.c:2598)<br /> [ 1863.554166] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)<br /> [ 1863.554177] kthread (kernel/kthread.c:389)<br /> [ 1863.554186] ret_from_fork (arch/x86/kernel/process.c:145)<br /> [ 1863.554197] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)<br /> <br /> [ 1863.554213] read to 0xffff963d99d79998 of 8 bytes by task 5450 on cpu 12:<br /> [ 1863.554224] process_one_work (kernel/workqueue.c:2598)<br /> [ 1863.554235] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)<br /> [ 1863.554247] kthread (kernel/kthread.c:389)<br /> [ 1863.554255] ret_from_fork (arch/x86/kernel/process.c:145)<br /> [ 1863.554266] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)<br /> <br /> [ 1863.554280] value changed: 0x0000000000001766 -&gt; 0x000000000000176a<br /> <br /> [ 1863.554295] Reported by Kernel Concurrency Sanitizer on:<br /> [ 1863.554303] CPU: 12 PID: 5450 Comm: kworker/u64:1 Tainted: G L 6.5.0-rc6+ #44<br /> [ 1863.554314] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023<br /> [ 1863.554322] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br /> [ 1863.554941] ==================================================================<br /> <br /> lockdep_invariant_state(true);<br /> → pwq-&gt;stats[PWQ_STAT_STARTED]++;<br /> trace_workqueue_execute_start(work);<br /> worker-&gt;current_func(work);<br /> <br /> Moving pwq-&gt;stats[PWQ_STAT_STARTED]++; before the line<br /> <br /> raw_spin_unlock_irq(&amp;pool-&gt;lock);<br /> <br /> resolves the data race without performance penalty.<br /> <br /> KCSAN detected at least one additional data race:<br /> <br /> [ 157.834751] ==================================================================<br /> [ 157.834770] BUG: KCSAN: data-race in process_one_work / process_one_work<br /> <br /> [ 157.834793] write to 0xffff9934453f77a0 of 8 bytes by task 468 on cpu 29:<br /> [ 157.834804] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)<br /> [ 157.834815] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)<br /> [ 157.834826] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)<br /> [ 157.834834] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)<br /> [ 157.834845] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)<br /> <br /> [ 157.834859] read to 0xffff9934453f77a0 of 8 bytes by task 214 on cpu 7:<br /> [ 157.834868] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)<br /> [ 157.834879] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)<br /> [ 157.834890] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)<br /> [ 157.834897] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)<br /> [ 157.834907] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)<br /> <br /> [ 157.834920] value changed: 0x000000000000052a -&gt; 0x0000000000000532<br /> <br /> [ 157.834933] Reported by Kernel Concurrency Sanitizer on:<br /> [ 157.834941] CPU: 7 PID: 214 Comm: kworker/u64:2 Tainted: G L 6.5.0-rc7-kcsan-00169-g81eaf55a60fc #4<br /> [ 157.834951] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023<br /> [ 157.834958] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br /> [ 157.835567] ==================================================================<br /> <br /> in code:<br /> <br /> trace_workqueue_execute_end(work, worker-&gt;current_func);<br /> → pwq-&gt;stats[PWQ_STAT_COM<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> caif: fix memory leak in cfctrl_linkup_request()<br /> <br /> When linktype is unknown or kzalloc failed in cfctrl_linkup_request(),<br /> pkt is not released. Add release process to error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pstore/ram: Check start of empty przs during init<br /> <br /> After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as<br /> valid"), initialization would assume a prz was valid after seeing that<br /> the buffer_size is zero (regardless of the buffer start position). This<br /> unchecked start value means it could be outside the bounds of the buffer,<br /> leading to future access panics when written to:<br /> <br /> sysdump_panic_event+0x3b4/0x5b8<br /> atomic_notifier_call_chain+0x54/0x90<br /> panic+0x1c8/0x42c<br /> die+0x29c/0x2a8<br /> die_kernel_fault+0x68/0x78<br /> __do_kernel_fault+0x1c4/0x1e0<br /> do_bad_area+0x40/0x100<br /> do_translation_fault+0x68/0x80<br /> do_mem_abort+0x68/0xf8<br /> el1_da+0x1c/0xc0<br /> __raw_writeb+0x38/0x174<br /> __memcpy_toio+0x40/0xac<br /> persistent_ram_update+0x44/0x12c<br /> persistent_ram_write+0x1a8/0x1b8<br /> ramoops_pstore_write+0x198/0x1e8<br /> pstore_console_write+0x94/0xe0<br /> ...<br /> <br /> To avoid this, also check if the prz start is 0 during the initialization<br /> phase. If not, the next prz sanity check case will discover it (start &gt;<br /> size) and zap the buffer back to a sane state.<br /> <br /> [kees: update commit log with backtrace and clarifications]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()<br /> <br /> If ipi_send_{mask|single}() is called with an invalid interrupt number, all<br /> the local variables there will be NULL. ipi_send_verify() which is invoked<br /> from these functions does verify its &amp;#39;data&amp;#39; parameter, resulting in a<br /> kernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets<br /> dereferenced.<br /> <br /> Add a missing NULL pointer check in ipi_send_verify()...<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with the SVACE static<br /> analysis tool.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one<br /> <br /> Eric Dumazet says:<br /> nf_conntrack_dccp_packet() has an unique:<br /> <br /> dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &amp;_dh);<br /> <br /> And nothing more is &amp;#39;pulled&amp;#39; from the packet, depending on the content.<br /> dh-&gt;dccph_doff, and/or dh-&gt;dccph_x ...)<br /> So dccp_ack_seq() is happily reading stuff past the _dh buffer.<br /> <br /> BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0<br /> Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371<br /> [..]<br /> <br /> Fix this by increasing the stack buffer to also include room for<br /> the extra sequence numbers and all the known dccp packet type headers,<br /> then pull again after the initial validation of the basic header.<br /> <br /> While at it, mark packets invalid that lack 48bit sequence bit but<br /> where RFC says the type MUST use them.<br /> <br /> Compile tested only.<br /> <br /> v2: first skb_header_pointer() now needs to adjust the size to<br /> only pull the generic header. (Eric)<br /> <br /> Heads-up: I intend to remove dccp conntrack support later this year.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: chipidea: fix memory leak with using debugfs_lookup()<br /> <br /> When calling debugfs_lookup() the result must have dput() called on it,<br /> otherwise the memory will leak over time. To make things simpler, just<br /> call debugfs_lookup_and_remove() instead which handles all of the logic<br /> at once.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()<br /> <br /> The function mpi3mr_get_all_tgt_info() has four issues:<br /> <br /> 1) It calculates valid entry length in alltgt_info assuming the header part<br /> of the struct mpi3mr_device_map_info would equal to sizeof(u32). The<br /> correct size is sizeof(u64).<br /> <br /> 2) When it calculates the valid entry length kern_entrylen, it excludes one<br /> entry by subtracting 1 from num_devices.<br /> <br /> 3) It copies num_device by calling memcpy(). Substitution is enough.<br /> <br /> 4) It does not specify the calculated length to sg_copy_from_buffer().<br /> Instead, it specifies the payload length which is larger than the<br /> alltgt_info size. It causes "BUG: KASAN: slab-out-of-bounds".<br /> <br /> Fix the issues by using the correct header size, removing the subtraction<br /> from num_devices, replacing the memcpy() with substitution and specifying<br /> the correct length to sg_copy_from_buffer().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211_hwsim: drop short frames<br /> <br /> While technically some control frames like ACK are shorter and<br /> end after Address 1, such frames shouldn&amp;#39;t be forwarded through<br /> wmediumd or similar userspace, so require the full 3-address<br /> header to avoid accessing invalid memory if shorter frames are<br /> passed in.