Vulnerabilities

<br /> Unitronics Unistream Unilogic – Versions prior to 1.35.227 - <br /> <br /> CWE-200: Exposure of Sensitive Information to an Unauthorized Actor may allow Taking Ownership Over Devices<br /> <br />

<br /> Unitronics Unistream Unilogic – Versions prior to 1.35.227 - <br /> <br /> CWE-23: Relative Path Traversal<br /> <br />

<br /> Unitronics Unistream Unilogic – Versions prior to 1.35.227 -<br /> <br /> CWE-22: &amp;#39;Path Traversal&amp;#39; may allow RCE<br /> <br />

A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash.

Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the filePath parameter of formExpandDlnaFile function.

A double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.

A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()<br /> <br /> syzbot found __ip6_tnl_rcv() could access unitiliazed data [1].<br /> <br /> Call pskb_inet_may_pull() to fix this, and initialize ipv6h<br /> variable after this call as it can change skb-&gt;head.<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]<br /> BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]<br /> BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321<br /> __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]<br /> INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]<br /> IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321<br /> ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727<br /> __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845<br /> ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888<br /> gre_rcv+0x143f/0x1870<br /> ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438<br /> ip6_input_finish net/ipv6/ip6_input.c:483 [inline]<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492<br /> ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586<br /> dst_input include/net/dst.h:461 [inline]<br /> ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310<br /> __netif_receive_skb_one_core net/core/dev.c:5532 [inline]<br /> __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646<br /> netif_receive_skb_internal net/core/dev.c:5732 [inline]<br /> netif_receive_skb+0x58/0x660 net/core/dev.c:5791<br /> tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555<br /> tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002<br /> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048<br /> call_write_iter include/linux/fs.h:2084 [inline]<br /> new_sync_write fs/read_write.c:497 [inline]<br /> vfs_write+0x786/0x1200 fs/read_write.c:590<br /> ksys_write+0x20f/0x4c0 fs/read_write.c:643<br /> __do_sys_write fs/read_write.c:655 [inline]<br /> __se_sys_write fs/read_write.c:652 [inline]<br /> __x64_sys_write+0x93/0xd0 fs/read_write.c:652<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768<br /> slab_alloc_node mm/slub.c:3478 [inline]<br /> kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560<br /> __alloc_skb+0x318/0x740 net/core/skbuff.c:651<br /> alloc_skb include/linux/skbuff.h:1286 [inline]<br /> alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334<br /> sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787<br /> tun_alloc_skb drivers/net/tun.c:1531 [inline]<br /> tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846<br /> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048<br /> call_write_iter include/linux/fs.h:2084 [inline]<br /> new_sync_write fs/read_write.c:497 [inline]<br /> vfs_write+0x786/0x1200 fs/read_write.c:590<br /> ksys_write+0x20f/0x4c0 fs/read_write.c:643<br /> __do_sys_write fs/read_write.c:655 [inline]<br /> __se_sys_write fs/read_write.c:652 [inline]<br /> __x64_sys_write+0x93/0xd0 fs/read_write.c:652<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: add sanity checks to rx zerocopy<br /> <br /> TCP rx zerocopy intent is to map pages initially allocated<br /> from NIC drivers, not pages owned by a fs.<br /> <br /> This patch adds to can_map_frag() these additional checks:<br /> <br /> - Page must not be a compound one.<br /> - page-&gt;mapping must be NULL.<br /> <br /> This fixes the panic reported by ZhangPeng.<br /> <br /> syzbot was able to loopback packets built with sendfile(),<br /> mapping pages owned by an ext4 file to TCP rx zerocopy.<br /> <br /> r3 = socket$inet_tcp(0x2, 0x1, 0x0)<br /> mmap(&amp;(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)<br /> r4 = socket$inet_tcp(0x2, 0x1, 0x0)<br /> bind$inet(r4, &amp;(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)<br /> connect$inet(r4, &amp;(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)<br /> r5 = openat$dir(0xffffffffffffff9c, &amp;(0x7f00000000c0)=&amp;#39;./file0\x00&amp;#39;,<br /> 0x181e42, 0x0)<br /> fallocate(r5, 0x0, 0x0, 0x85b8)<br /> sendfile(r4, r5, 0x0, 0x8ba0)<br /> getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,<br /> &amp;(0x7f00000001c0)={&amp;(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,<br /> 0x0, 0x0, 0x0, 0x0}, &amp;(0x7f0000000440)=0x40)<br /> r6 = openat$dir(0xffffffffffffff9c, &amp;(0x7f00000000c0)=&amp;#39;./file0\x00&amp;#39;,<br /> 0x181e42, 0x0)

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix removing a namespace with conflicting altnames<br /> <br /> Mark reports a BUG() when a net namespace is removed.<br /> <br /> kernel BUG at net/core/dev.c:11520!<br /> <br /> Physical interfaces moved outside of init_net get "refunded"<br /> to init_net when that namespace disappears. The main interface<br /> name may get overwritten in the process if it would have<br /> conflicted. We need to also discard all conflicting altnames.<br /> Recent fixes addressed ensuring that altnames get moved<br /> with the main interface, which surfaced this problem.