Vulnerabilities

An out-of-bounds write vulnerability exists in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .fadein file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

A use-after-free vulnerability exists in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .xml file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability was fixed in Firefox 144.0.2.

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster.<br /> <br /> TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster <br /> <br /> Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`

Command injection vulnerability exists in the “Logging” page of the web-based configuration utility. An authenticated user with low privileged network access for the configuration utility can execute arbitrary commands on the underlying OS to obtain root SSH access to the TropOS 4th Gen device.

By making minor configuration changes to the TropOS 4th Gen device, an authenticated user with the ability to run user level shell commands can enable access via secure shell (SSH) to an unrestricted root shell. This is possible through abuse of a particular set of scripts and executables that allow for certain commands to be run as root from an unprivileged context.

The “Diagnostics Tools” page of the web-based configuration utility does not properly validate user-controlled input, allowing an authenticated user with high privileges to inject commands into the command shell of the TropOS 4th Gen device. The injected commands can be exploited to execute several set-uid (SUID) applications to ultimately gain root access to the TropOS device.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()<br /> <br /> BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186<br /> Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290<br /> <br /> CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x5f0 mm/kasan/report.c:482<br /> kasan_report+0xca/0x100 mm/kasan/report.c:595<br /> hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186<br /> hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738<br /> vfs_listxattr+0xbe/0x140 fs/xattr.c:493<br /> listxattr+0xee/0x190 fs/xattr.c:924<br /> filename_listxattr fs/xattr.c:958 [inline]<br /> path_listxattrat+0x143/0x360 fs/xattr.c:988<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fe0e9fae16d<br /> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3<br /> RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000<br /> RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000<br /> <br /> <br /> Allocated by task 14290:<br /> kasan_save_stack+0x24/0x50 mm/kasan/common.c:47<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __do_kmalloc_node mm/slub.c:4333 [inline]<br /> __kmalloc_noprof+0x219/0x540 mm/slub.c:4345<br /> kmalloc_noprof include/linux/slab.h:909 [inline]<br /> hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21<br /> hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697<br /> vfs_listxattr+0xbe/0x140 fs/xattr.c:493<br /> listxattr+0xee/0x190 fs/xattr.c:924<br /> filename_listxattr fs/xattr.c:958 [inline]<br /> path_listxattrat+0x143/0x360 fs/xattr.c:988<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> When hfsplus_uni2asc is called from hfsplus_listxattr,<br /> it actually passes in a struct hfsplus_attr_unistr*.<br /> The size of the corresponding structure is different from that of hfsplus_unistr,<br /> so the previous fix (94458781aee6) is insufficient.<br /> The pointer on the unicode buffer is still going beyond the allocated memory.<br /> <br /> This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and<br /> hfsplus_uni2asc_str to process two unicode buffers,<br /> struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.<br /> When ustrlen value is bigger than the allocated memory size,<br /> the ustrlen value is limited to an safe size.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp_metrics: use dst_dev_net_rcu()<br /> <br /> Replace three dst_dev() with a lockdep enabled helper.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()<br /> <br /> Starting with commit dd26c1a23fd5 ("PCI: rcar-host: Switch to<br /> msi_create_parent_irq_domain()"), the MSI parent IRQ domain is NULL because<br /> the object of type struct irq_domain_info passed to:<br /> <br /> msi_create_parent_irq_domain() -&gt;<br /> irq_domain_instantiate()() -&gt;<br /> __irq_domain_instantiate()<br /> <br /> has no reference to the parent IRQ domain. Using msi-&gt;domain-&gt;parent as an<br /> argument for generic_handle_domain_irq() leads to below error:<br /> <br /> "Unable to handle kernel NULL pointer dereference at virtual address"<br /> <br /> This error was identified while switching the upcoming RZ/G3S PCIe host<br /> controller driver to msi_create_parent_irq_domain() (which was using a<br /> similar pattern to handle MSIs (see link section)), but it was not tested<br /> on hardware using the pcie-rcar-host controller driver due to lack of<br /> hardware.<br /> <br /> [mani: reworded subject and description]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid overflow while left shift operation<br /> <br /> Should cast type of folio-&gt;index from pgoff_t to loff_t to avoid overflow<br /> while left shift operation.