Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: add proper RCU protection to /proc/net/ptype<br /> <br /> Yin Fengwei reported an RCU stall in ptype_seq_show() and provided<br /> a patch.<br /> <br /> Real issue is that ptype_seq_next() and ptype_seq_show() violate<br /> RCU rules.<br /> <br /> ptype_seq_show() runs under rcu_read_lock(), and reads pt-&gt;dev<br /> to get device name without any barrier.<br /> <br /> At the same time, concurrent writers can remove a packet_type structure<br /> (which is correctly freed after an RCU grace period) and clear pt-&gt;dev<br /> without an RCU grace period.<br /> <br /> Define ptype_iter_state to carry a dev pointer along seq_net_private:<br /> <br /> struct ptype_iter_state {<br /> struct seq_net_private p;<br /> struct net_device *dev; // added in this patch<br /> };<br /> <br /> We need to record the device pointer in ptype_get_idx() and<br /> ptype_seq_next() so that ptype_seq_show() is safe against<br /> concurrent pt-&gt;dev changes.<br /> <br /> We also need to add full RCU protection in ptype_seq_next().<br /> (Missing READ_ONCE() when reading list.next values)<br /> <br /> Many thanks to Dong Chenchen for providing a repro.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: dvb-core: fix wrong reinitialization of ringbuffer on reopen<br /> <br /> dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the<br /> DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which<br /> reinitializes the waitqueue list head to empty.<br /> <br /> Since dmxdev-&gt;dvr_buffer.queue is a shared waitqueue (all opens of the<br /> same DVR device share it), this orphans any existing waitqueue entries<br /> from io_uring poll or epoll, leaving them with stale prev/next pointers<br /> while the list head is reset to {self, self}.<br /> <br /> The waitqueue and spinlock in dvr_buffer are already properly<br /> initialized once in dvb_dmxdev_init(). The open path only needs to<br /> reset the buffer data pointer, size, and read/write positions.<br /> <br /> Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct<br /> assignment of data/size and a call to dvb_ringbuffer_reset(), which<br /> properly resets pread, pwrite, and error with correct memory ordering<br /> without touching the waitqueue or spinlock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: do not free data reservation in fallback from inline due to -ENOSPC<br /> <br /> If we fail to create an inline extent due to -ENOSPC, we will attempt to<br /> go through the normal COW path, reserve an extent, create an ordered<br /> extent, etc. However we were always freeing the reserved qgroup data,<br /> which is wrong since we will use data. Fix this by freeing the reserved<br /> qgroup data in __cow_file_range_inline() only if we are not doing the<br /> fallback (ret is

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: Enable exception fixup for specific ADE subcode<br /> <br /> This patch allows the LoongArch BPF JIT to handle recoverable memory<br /> access errors generated by BPF_PROBE_MEM* instructions.<br /> <br /> When a BPF program performs memory access operations, the instructions<br /> it executes may trigger ADEM exceptions. The kernel’s built-in BPF<br /> exception table mechanism (EX_TYPE_BPF) will generate corresponding<br /> exception fixup entries in the JIT compilation phase; however, the<br /> architecture-specific trap handling function needs to proactively call<br /> the common fixup routine to achieve exception recovery.<br /> <br /> do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs,<br /> ensure safe execution.<br /> <br /> Relevant test cases: illegal address access tests in module_attach and<br /> subprogs_extable of selftests/bpf.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: check for deleted cursors when revalidating two btrees<br /> <br /> The free space and inode btree repair functions will rebuild both btrees<br /> at the same time, after which it needs to evaluate both btrees to<br /> confirm that the corruptions are gone.<br /> <br /> However, Jiaming Zhang ran syzbot and produced a crash in the second<br /> xchk_allocbt call. His root-cause analysis is as follows (with minor<br /> corrections):<br /> <br /> In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first<br /> for BNOBT, second for CNTBT). The cause of this issue is that the<br /> first call nullified the cursor required by the second call.<br /> <br /> Let&amp;#39;s first enter xrep_revalidate_allocbt() via following call chain:<br /> <br /> xfs_file_ioctl() -&gt;<br /> xfs_ioc_scrubv_metadata() -&gt;<br /> xfs_scrub_metadata() -&gt;<br /> `sc-&gt;ops-&gt;repair_eval(sc)` -&gt;<br /> xrep_revalidate_allocbt()<br /> <br /> xchk_allocbt() is called twice in this function. In the first call:<br /> <br /> /* Note that sc-&gt;sm-&gt;sm_type is XFS_SCRUB_TYPE_BNOPT now */<br /> xchk_allocbt() -&gt;<br /> xchk_btree() -&gt;<br /> `bs-&gt;scrub_rec(bs, recp)` -&gt;<br /> xchk_allocbt_rec() -&gt;<br /> xchk_allocbt_xref() -&gt;<br /> xchk_allocbt_xref_other()<br /> <br /> since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &amp;sc-&gt;sa.cnt_cur.<br /> Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call<br /> chain:<br /> <br /> xfs_alloc_get_rec() -&gt;<br /> xfs_btree_get_rec() -&gt;<br /> xfs_btree_check_block() -&gt;<br /> (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter<br /> is true, return -EFSCORRUPTED. This should be caused by<br /> ioctl$XFS_IOC_ERROR_INJECTION I guess.<br /> <br /> Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from<br /> xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this<br /> function, *curpp (points to sc-&gt;sa.cnt_cur) is nullified.<br /> <br /> Back to xrep_revalidate_allocbt(), since sc-&gt;sa.cnt_cur has been<br /> nullified, it then triggered null-ptr-deref via xchk_allocbt() (second<br /> call) -&gt; xchk_btree().<br /> <br /> So. The bnobt revalidation failed on a cross-reference attempt, so we<br /> deleted the cntbt cursor, and then crashed when we tried to revalidate<br /> the cntbt. Therefore, check for a null cntbt cursor before that<br /> revalidation, and mark the repair incomplete. Also we can ignore the<br /> second tree entirely if the first tree was rebuilt but is already<br /> corrupt.<br /> <br /> Apply the same fix to xrep_revalidate_iallocbt because it has the same<br /> problem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: check return value of xchk_scrub_create_subord<br /> <br /> Fix this function to return NULL instead of a mangled ENOMEM, then fix<br /> the callers to actually check for a null pointer and return ENOMEM.<br /> Most of the corrections here are for code merged between 6.2 and 6.10.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix reservation leak in some error paths when inserting inline extent<br /> <br /> If we fail to allocate a path or join a transaction, we return from<br /> __cow_file_range_inline() without freeing the reserved qgroup data,<br /> resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()<br /> in such cases.

A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import.

A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette&amp;#39;s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the &amp;#39;template&amp;#39; parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection.