Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded()<br /> <br /> The sma1307-&gt;set.header_size is how many integers are in the header<br /> (there are 8 of them) but instead of allocating space of 8 integers<br /> we allocate 8 bytes. This leads to memory corruption when we copy data<br /> it on the next line:<br /> <br /> memcpy(sma1307-&gt;set.header, data,<br /> sma1307-&gt;set.header_size * sizeof(int));<br /> <br /> Also since we&amp;#39;re immediately copying over the memory in -&gt;set.header,<br /> there is no need to zero it in the allocator. Use devm_kmalloc_array()<br /> to allocate the memory instead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: let recv_done verify data_offset, data_length and remaining_data_length<br /> <br /> This is inspired by the related server fixes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: af_alg - Set merge to zero early in af_alg_sendmsg<br /> <br /> If an error causes af_alg_sendmsg to abort, ctx-&gt;merge may contain<br /> a garbage value from the previous loop. This may then trigger a<br /> crash on the next entry into af_alg_sendmsg when it attempts to do<br /> a merge that can&amp;#39;t be done.<br /> <br /> Fix this by setting ctx-&gt;merge to zero near the start of the loop.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: let smbd_destroy() call disable_work_sync(&amp;info-&gt;post_send_credits_work)<br /> <br /> In smbd_destroy() we may destroy the memory so we better<br /> wait until post_send_credits_work is no longer pending<br /> and will never be started again.<br /> <br /> I actually just hit the case using rxe:<br /> <br /> WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]<br /> ...<br /> [ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs]<br /> [ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30<br /> [ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs]<br /> [ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60<br /> [ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs]<br /> [ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs]<br /> [ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]<br /> [ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10<br /> [ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10<br /> [ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0<br /> [ 5305.687889] [ T138] process_one_work+0x629/0xf80<br /> [ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30<br /> [ 5305.687933] [ T138] worker_thread+0x87f/0x1570<br /> ...<br /> <br /> It means rxe_post_recv was called after rdma_destroy_qp().<br /> This happened because put_receive_buffer() was triggered<br /> by ib_drain_qp() and called:<br /> queue_work(info-&gt;workqueue, &amp;info-&gt;post_send_credits_work);

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path<br /> <br /> During tests of another unrelated patch I was able to trigger this<br /> error: Objects remaining on __kmem_cache_shutdown()

The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the &amp;#39;/admin/inc/post-management.php&amp;#39; file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the &amp;#39;range-date&amp;#39; parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Contest Gallery – Upload, Vote &amp; Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim&amp;#39;s browser.

The WDesignKit – Elementor &amp; Gutenberg Starter Templates, Patterns, Cloud Workspace &amp; Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.

The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;before_label&amp;#39; and &amp;#39;after_label&amp;#39; parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status.