Vulnerabilities

WeGIA is a Web manager for charitable institutions. A security vulnerability was identified in versions prior to 3.2.6, where it is possible to change a user's password without verifying the old password. This issue exists in the control.php endpoint and allows unauthorized attackers to bypass authentication and authorization mechanisms to reset the password of any user, including admin accounts. Version 3.2.6 fixes the issue.

WeGIA is a Web manager for charitable institutions. A stored Cross-Site Scripting (XSS) vulnerability was identified in versions prior to 3.2.8. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page. Version 3.2.8 fixes the issue.

WeGIA is a Web manager for charitable institutions. A stored Cross-Site Scripting (XSS) vulnerability was identified in versions prior to 3.2.6. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page. Version 3.2.6 fixes the issue.

WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.2.8 in the endpoint /WeGIA/html/funcionario/remuneracao.php, in the id_funcionario parameter. This vulnerability allows the execution of arbitrary SQL commands, which can compromise the confidentiality, integrity, and availability of stored data. Version 3.2.8 fixes the issue.

WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.2.8 in the endpoint /WeGIA/html/socio/sistema/controller/query_geracao_auto.php, specifically in the query parameter. This vulnerability allows the execution of arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. Version 3.2.8 fixes the issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits<br /> <br /> If the offset + length goes over the ethernet + vlan header, then the<br /> length is adjusted to copy the bytes that are within the boundaries of<br /> the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +<br /> vlan header are copied directly from the skbuff data area.<br /> <br /> Fix incorrect arithmetic operator: subtract, not add, the size of the<br /> vlan header in case of double-tagged packets to adjust the length<br /> accordingly to address CVE-2023-0179.

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.<br /> <br /> This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/imc-pmu: Fix use of mutex in IRQs disabled section<br /> <br /> Current imc-pmu code triggers a WARNING with CONFIG_DEBUG_ATOMIC_SLEEP<br /> and CONFIG_PROVE_LOCKING enabled, while running a thread_imc event.<br /> <br /> Command to trigger the warning:<br /> # perf stat -e thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/ sleep 5<br /> <br /> Performance counter stats for &amp;#39;sleep 5&amp;#39;:<br /> <br /> 0 thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/<br /> <br /> 5.002117947 seconds time elapsed<br /> <br /> 0.000131000 seconds user<br /> 0.001063000 seconds sys<br /> <br /> Below is snippet of the warning in dmesg:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580<br /> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2869, name: perf-exec<br /> preempt_count: 2, expected: 0<br /> 4 locks held by perf-exec/2869:<br /> #0: c00000004325c540 (&amp;sig-&gt;cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0x64/0xa90<br /> #1: c00000004325c5d8 (&amp;sig-&gt;exec_update_lock){++++}-{3:3}, at: begin_new_exec+0x460/0xef0<br /> #2: c0000003fa99d4e0 (&amp;cpuctx_lock){-...}-{2:2}, at: perf_event_exec+0x290/0x510<br /> #3: c000000017ab8418 (&amp;ctx-&gt;lock){....}-{2:2}, at: perf_event_exec+0x29c/0x510<br /> irq event stamp: 4806<br /> hardirqs last enabled at (4805): [] _raw_spin_unlock_irqrestore+0x94/0xd0<br /> hardirqs last disabled at (4806): [] perf_event_exec+0x394/0x510<br /> softirqs last enabled at (0): [] copy_process+0xc34/0x1ff0<br /> softirqs last disabled at (0): [] 0x0<br /> CPU: 36 PID: 2869 Comm: perf-exec Not tainted 6.2.0-rc2-00011-g1247637727f2 #61<br /> Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV<br /> Call Trace:<br /> dump_stack_lvl+0x98/0xe0 (unreliable)<br /> __might_resched+0x2f8/0x310<br /> __mutex_lock+0x6c/0x13f0<br /> thread_imc_event_add+0xf4/0x1b0<br /> event_sched_in+0xe0/0x210<br /> merge_sched_in+0x1f0/0x600<br /> visit_groups_merge.isra.92.constprop.166+0x2bc/0x6c0<br /> ctx_flexible_sched_in+0xcc/0x140<br /> ctx_sched_in+0x20c/0x2a0<br /> ctx_resched+0x104/0x1c0<br /> perf_event_exec+0x340/0x510<br /> begin_new_exec+0x730/0xef0<br /> load_elf_binary+0x3f8/0x1e10<br /> ...<br /> do not call blocking ops when !TASK_RUNNING; state=2001 set at [] do_nanosleep+0x60/0x1a0<br /> WARNING: CPU: 36 PID: 2869 at kernel/sched/core.c:9912 __might_sleep+0x9c/0xb0<br /> CPU: 36 PID: 2869 Comm: sleep Tainted: G W 6.2.0-rc2-00011-g1247637727f2 #61<br /> Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV<br /> NIP: c000000000194a1c LR: c000000000194a18 CTR: c000000000a78670<br /> REGS: c00000004d2134e0 TRAP: 0700 Tainted: G W (6.2.0-rc2-00011-g1247637727f2)<br /> MSR: 9000000000021033 CR: 48002824 XER: 00000000<br /> CFAR: c00000000013fb64 IRQMASK: 1<br /> <br /> The above warning triggered because the current imc-pmu code uses mutex<br /> lock in interrupt disabled sections. The function mutex_lock()<br /> internally calls __might_resched(), which will check if IRQs are<br /> disabled and in case IRQs are disabled, it will trigger the warning.<br /> <br /> Fix the issue by changing the mutex lock to spinlock.<br /> <br /> [mpe: Fix comments, trim oops in change log, add reported-by tags]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.<br /> <br /> When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of<br /> an arithmetic expression 2

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt<br /> <br /> The commit 4af1b64f80fb ("octeontx2-pf: Fix lmtst ID used in aura<br /> free") uses the get/put_cpu() to protect the usage of percpu pointer<br /> in -&gt;aura_freeptr() callback, but it also unnecessarily disable the<br /> preemption for the blockable memory allocation. The commit 87b93b678e95<br /> ("octeontx2-pf: Avoid use of GFP_KERNEL in atomic context") tried to<br /> fix these sleep inside atomic warnings. But it only fix the one for<br /> the non-rt kernel. For the rt kernel, we still get the similar warnings<br /> like below.<br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46<br /> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0<br /> preempt_count: 1, expected: 0<br /> RCU nest depth: 0, expected: 0<br /> 3 locks held by swapper/0/1:<br /> #0: ffff800009fc5fe8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x24/0x30<br /> #1: ffff000100c276c0 (&amp;mbox-&gt;lock){+.+.}-{3:3}, at: otx2_init_hw_resources+0x8c/0x3a4<br /> #2: ffffffbfef6537e0 (&amp;cpu_rcache-&gt;lock){+.+.}-{2:2}, at: alloc_iova_fast+0x1ac/0x2ac<br /> Preemption disabled at:<br /> [] otx2_rq_aura_pool_init+0x14c/0x284<br /> CPU: 20 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc3-rt1-yocto-preempt-rt #1<br /> Hardware name: Marvell OcteonTX CN96XX board (DT)<br /> Call trace:<br /> dump_backtrace.part.0+0xe8/0xf4<br /> show_stack+0x20/0x30<br /> dump_stack_lvl+0x9c/0xd8<br /> dump_stack+0x18/0x34<br /> __might_resched+0x188/0x224<br /> rt_spin_lock+0x64/0x110<br /> alloc_iova_fast+0x1ac/0x2ac<br /> iommu_dma_alloc_iova+0xd4/0x110<br /> __iommu_dma_map+0x80/0x144<br /> iommu_dma_map_page+0xe8/0x260<br /> dma_map_page_attrs+0xb4/0xc0<br /> __otx2_alloc_rbuf+0x90/0x150<br /> otx2_rq_aura_pool_init+0x1c8/0x284<br /> otx2_init_hw_resources+0xe4/0x3a4<br /> otx2_open+0xf0/0x610<br /> __dev_open+0x104/0x224<br /> __dev_change_flags+0x1e4/0x274<br /> dev_change_flags+0x2c/0x7c<br /> ic_open_devs+0x124/0x2f8<br /> ip_auto_config+0x180/0x42c<br /> do_one_initcall+0x90/0x4dc<br /> do_basic_setup+0x10c/0x14c<br /> kernel_init_freeable+0x10c/0x13c<br /> kernel_init+0x2c/0x140<br /> ret_from_fork+0x10/0x20<br /> <br /> Of course, we can shuffle the get/put_cpu() to only wrap the invocation<br /> of -&gt;aura_freeptr() as what commit 87b93b678e95 does. But there are only<br /> two -&gt;aura_freeptr() callbacks, otx2_aura_freeptr() and<br /> cn10k_aura_freeptr(). There is no usage of perpcu variable in the<br /> otx2_aura_freeptr() at all, so the get/put_cpu() seems redundant to it.<br /> We can move the get/put_cpu() into the corresponding callback which<br /> really has the percpu variable usage and avoid the sprinkling of<br /> get/put_cpu() in several places.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-pf: Avoid use of GFP_KERNEL in atomic context<br /> <br /> Using GFP_KERNEL in preemption disable context, causing below warning<br /> when CONFIG_DEBUG_ATOMIC_SLEEP is enabled.<br /> <br /> [ 32.542271] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274<br /> [ 32.550883] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0<br /> [ 32.558707] preempt_count: 1, expected: 0<br /> [ 32.562710] RCU nest depth: 0, expected: 0<br /> [ 32.566800] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc2-00269-gae9dcb91c606 #7<br /> [ 32.576188] Hardware name: Marvell CN106XX board (DT)<br /> [ 32.581232] Call trace:<br /> [ 32.583670] dump_backtrace.part.0+0xe0/0xf0<br /> [ 32.587937] show_stack+0x18/0x30<br /> [ 32.591245] dump_stack_lvl+0x68/0x84<br /> [ 32.594900] dump_stack+0x18/0x34<br /> [ 32.598206] __might_resched+0x12c/0x160<br /> [ 32.602122] __might_sleep+0x48/0xa0<br /> [ 32.605689] __kmem_cache_alloc_node+0x2b8/0x2e0<br /> [ 32.610301] __kmalloc+0x58/0x190<br /> [ 32.613610] otx2_sq_aura_pool_init+0x1a8/0x314<br /> [ 32.618134] otx2_open+0x1d4/0x9d0<br /> <br /> To avoid use of GFP_ATOMIC for memory allocation, disable preemption<br /> after all memory allocation is done.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/core: Fix ib block iterator counter overflow<br /> <br /> When registering a new DMA MR after selecting the best aligned page size<br /> for it, we iterate over the given sglist to split each entry to smaller,<br /> aligned to the selected page size, DMA blocks.<br /> <br /> In given circumstances where the sg entry and page size fit certain<br /> sizes and the sg entry is not aligned to the selected page size, the<br /> total size of the aligned pages we need to cover the sg entry is &gt;= 4GB.<br /> Under this circumstances, while iterating page aligned blocks, the<br /> counter responsible for counting how much we advanced from the start of<br /> the sg entry is overflowed because its type is u32 and we pass 4GB in<br /> size. This can lead to an infinite loop inside the iterator function<br /> because the overflow prevents the counter to be larger<br /> than the size of the sg entry.<br /> <br /> Fix the presented problem by changing the advancement condition to<br /> eliminate overflow.<br /> <br /> Backtrace:<br /> [ 192.374329] efa_reg_user_mr_dmabuf<br /> [ 192.376783] efa_register_mr<br /> [ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000<br /> [ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]<br /> [ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3<br /> [ 192.399559] hp_cnt[3], pages_in_hp[524288]<br /> [ 192.403690] umem-&gt;sgt_append.sgt.nents[1]<br /> [ 192.407905] number entries: [1], pg_bit: [31]<br /> [ 192.411397] biter-&gt;__sg_nents [1] biter-&gt;__sg [0000000008b0c5d8]<br /> [ 192.415601] biter-&gt;__sg_advance [665837568] sg_dma_len[3221225472]<br /> [ 192.419823] biter-&gt;__sg_nents [1] biter-&gt;__sg [0000000008b0c5d8]<br /> [ 192.423976] biter-&gt;__sg_advance [2813321216] sg_dma_len[3221225472]<br /> [ 192.428243] biter-&gt;__sg_nents [1] biter-&gt;__sg [0000000008b0c5d8]<br /> [ 192.432397] biter-&gt;__sg_advance [665837568] sg_dma_len[3221225472]