Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add<br /> <br /> The driver does not set hw-&gt;sta_data_size, which causes mac80211 to<br /> allocate insufficient space for driver private station data in<br /> __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of<br /> struct rtl8xxxu_sta_info through sta-&gt;drv_priv, this results in a<br /> slab-out-of-bounds write.<br /> <br /> KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:<br /> <br /> BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346<br /> Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12<br /> <br /> Set hw-&gt;sta_data_size to sizeof(struct rtl8xxxu_sta_info) during<br /> probe, similar to how hw-&gt;vif_data_size is configured. This ensures<br /> mac80211 allocates sufficient space for the driver&amp;#39;s per-station<br /> private data.<br /> <br /> Tested on StarFive VisionFive 2 v1.2A board.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: endpoint: Avoid creating sub-groups asynchronously<br /> <br /> The asynchronous creation of sub-groups by a delayed work could lead to a<br /> NULL pointer dereference when the driver directory is removed before the<br /> work completes.<br /> <br /> The crash can be easily reproduced with the following commands:<br /> <br /> # cd /sys/kernel/config/pci_ep/functions/pci_epf_test<br /> # for i in {1..20}; do mkdir test &amp;&amp; rmdir test; done<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000088<br /> ...<br /> Call Trace:<br /> configfs_register_group+0x3d/0x190<br /> pci_epf_cfs_work+0x41/0x110<br /> process_one_work+0x18f/0x350<br /> worker_thread+0x25a/0x3a0<br /> <br /> Fix this issue by using configfs_add_default_group() API which does not<br /> have the deadlock problem as configfs_register_group() and does not require<br /> the delayed work handler.<br /> <br /> [mani: slightly reworded the description and added stable list]

UTT HiPER 810 / nv810v4 router firmware v1.5.0-140603 was discovered to contain insecure default credentials for the telnet service, possibly allowing a remote attacker to gain root access via a crafted script.

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Free sp in error path to fix system crash<br /> <br /> System crash seen during load/unload test in a loop,<br /> <br /> [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.<br /> [61110.467494] =============================================================================<br /> [61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown()<br /> [61110.467501] -----------------------------------------------------------------------------<br /> <br /> [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff)<br /> [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1<br /> [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023<br /> [61110.467515] Call Trace:<br /> [61110.467516] <br /> [61110.467519] dump_stack_lvl+0x34/0x48<br /> [61110.467526] slab_err.cold+0x53/0x67<br /> [61110.467534] __kmem_cache_shutdown+0x16e/0x320<br /> [61110.467540] kmem_cache_destroy+0x51/0x160<br /> [61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx]<br /> [61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280<br /> [61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0<br /> [61110.467616] ? do_syscall_64+0x5c/0x90<br /> [61110.467619] ? exc_page_fault+0x62/0x150<br /> [61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [61110.467626] <br /> [61110.467627] Disabling lock debugging due to kernel taint<br /> [61110.467635] Object 0x0000000026f7e6e6 @offset=16000<br /> [61110.467639] ------------[ cut here ]------------<br /> [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx]<br /> [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160<br /> [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1<br /> [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023<br /> [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160<br /> [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89<br /> [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282<br /> [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027<br /> [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0<br /> [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7<br /> [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000<br /> [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> [61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000<br /> [61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0<br /> [61110.467736] PKRU: 55555554<br /> [61110.467737] Call Trace:<br /> [61110.467738] <br /> [61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx]<br /> [61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280<br /> <br /> Free sp in the error path to fix the crash.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode<br /> <br /> The local variable &amp;#39;i&amp;#39; is initialized with -EINVAL, but the for loop<br /> immediately overwrites it and -EINVAL is never returned.<br /> <br /> If no empty compression mode can be found, the function would return the<br /> out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid<br /> array access in add_iaa_compression_mode().<br /> <br /> Fix both issues by returning either a valid index or -EINVAL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: ensure sb-&gt;s_fs_info is always cleaned up<br /> <br /> When hfs was converted to the new mount api a bug was introduced by<br /> changing the allocation pattern of sb-&gt;s_fs_info. If setup_bdev_super()<br /> fails after a new superblock has been allocated by sget_fc(), but before<br /> hfs_fill_super() takes ownership of the filesystem-specific s_fs_info<br /> data it was leaked.<br /> <br /> Fix this by freeing sb-&gt;s_fs_info in hfs_kill_super().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()<br /> <br /> rtw_core_enable_beacon() reads 4 bytes from an address that is not a<br /> multiple of 4. This results in a crash on some systems.<br /> <br /> Do 1 byte reads/writes instead.<br /> <br /> Unable to handle kernel paging request at virtual address ffff8000827e0522<br /> Mem abort info:<br /> ESR = 0x0000000096000021<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x21: alignment fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000<br /> [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13<br /> Internal error: Oops: 0000000096000021 [#1] SMP<br /> Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...]<br /> CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G W 6.17.9 #1-NixOS VOLUNTARY<br /> Tainted: [W]=WARN<br /> Hardware name: FriendlyElec NanoPC-T6 LTS (DT)<br /> Workqueue: phy0 rtw_c2h_work [rtw88_core]<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : rtw_pci_read32+0x18/0x40 [rtw88_pci]<br /> lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core]<br /> sp : ffff800080cc3ca0<br /> x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828<br /> x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00<br /> x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001<br /> x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522<br /> Call trace:<br /> rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)<br /> rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]<br /> rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]<br /> rtw_c2h_work+0x50/0x98 [rtw88_core]<br /> process_one_work+0x178/0x3f8<br /> worker_thread+0x208/0x418<br /> kthread+0x120/0x220<br /> ret_from_fork+0x10/0x20<br /> Code: d28fe202 8b020000 f9524400 8b214000 (b9400000)<br /> ---[ end trace 0000000000000000 ]---

mayswind ezbookkeeping versions 1.2.0 and earlier contain a critical vulnerability in JSON and XML file import processing. The application fails to validate nesting depth during parsing operations, allowing authenticated attackers to trigger denial of service conditions by uploading deeply nested malicious files. This results in CPU exhaustion, service degradation, or complete service unavailability.

Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. <br /> <br /> The vulnerability could lead to remote code execution, denial of service, or privilege escalation.<br /> <br /> This issue affects Directory Services: before 24.4.16, from 25.1 before 25.1.9, from 25.2 before 25.2.9, from 25.3 before 25.3.8, from 25.4 before 25.4.5, from 26.1 before 26.1.2.

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

A flaw has been found in ChaiScript up to 6.1.0. This affects the function chaiscript::Type_Info::bare_equal of the file include/chaiscript/dispatchkit/type_info.hpp. This manipulation causes use after free. The attack requires local access. The attack&amp;#39;s complexity is rated as high. The exploitability is reported as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.