Vulnerabilities

In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning

Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `TableChatAgent` uses `pandas eval()`. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. Langroid 0.53.15 sanitizes input to `TableChatAgent` by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> qibfs: fix _another_ leak<br /> <br /> failure to allocate inode =&gt; leaked dentry...<br /> <br /> this one had been there since the initial merge; to be fair,<br /> if we are that far OOM, the odds of failing at that particular<br /> allocation are low...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()<br /> <br /> Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa<br /> implementation&amp;#39;s -&gt;key_size() callback returns an unusually large value.<br /> Herbert instead suggests (for a division by 8):<br /> <br /> X / 8 + !!(X &amp; 7)<br /> <br /> Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and<br /> use it in lieu of DIV_ROUND_UP() for -&gt;key_size() return values.<br /> <br /> Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes"<br /> parameter is a -&gt;key_size() return value in some instances, or a<br /> user-specified ASN.1 length in the case of ecdsa_get_signature_rs().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: wdm: close race between wdm_open and wdm_wwan_port_stop<br /> <br /> Clearing WDM_WWAN_IN_USE must be the last action or<br /> we can open a chardev whose URBs are still poisoned

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: class: Invalidate USB device pointers on partner unregistration<br /> <br /> To avoid using invalid USB device pointers after a Type-C partner<br /> disconnects, this patch clears the pointers upon partner unregistration.<br /> This ensures a clean state for future connections.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fix a couple of races in MNT_TREE_BENEATH handling by do_move_mount()<br /> <br /> Normally do_lock_mount(path, _) is locking a mountpoint pinned by<br /> *path and at the time when matching unlock_mount() unlocks that<br /> location it is still pinned by the same thing.<br /> <br /> Unfortunately, for &amp;#39;beneath&amp;#39; case it&amp;#39;s no longer that simple -<br /> the object being locked is not the one *path points to. It&amp;#39;s the<br /> mountpoint of path-&gt;mnt. The thing is, without sufficient locking<br /> -&gt;mnt_parent may change under us and none of the locks are held<br /> at that point. The rules are<br /> * mount_lock stabilizes m-&gt;mnt_parent for any mount m.<br /> * namespace_sem stabilizes m-&gt;mnt_parent, provided that<br /> m is mounted.<br /> * if either of the above holds and refcount of m is positive,<br /> we are guaranteed the same for refcount of m-&gt;mnt_parent.<br /> <br /> namespace_sem nests inside inode_lock(), so do_lock_mount() has<br /> to take inode_lock() before grabbing namespace_sem. It does<br /> recheck that path-&gt;mnt is still mounted in the same place after<br /> getting namespace_sem, and it does take care to pin the dentry.<br /> It is needed, since otherwise we might end up with racing mount --move<br /> (or umount) happening while we were getting locks; in that case<br /> dentry would no longer be a mountpoint and could&amp;#39;ve been evicted<br /> on memory pressure along with its inode - not something you want<br /> when grabbing lock on that inode.<br /> <br /> However, pinning a dentry is not enough - the matching mount is<br /> also pinned only by the fact that path-&gt;mnt is mounted on top it<br /> and at that point we are not holding any locks whatsoever, so<br /> the same kind of races could end up with all references to<br /> that mount gone just as we are about to enter inode_lock().<br /> If that happens, we are left with filesystem being shut down while<br /> we are holding a dentry reference on it; results are not pretty.<br /> <br /> What we need to do is grab both dentry and mount at the same time;<br /> that makes inode_lock() safe *and* avoids the problem with fs getting<br /> shut down under us. After taking namespace_sem we verify that<br /> path-&gt;mnt is still mounted (which stabilizes its -&gt;mnt_parent) and<br /> check that it&amp;#39;s still mounted at the same place. From that point<br /> on to the matching namespace_unlock() we are guaranteed that<br /> mount/dentry pair we&amp;#39;d grabbed are also pinned by being the mountpoint<br /> of path-&gt;mnt, so we can quietly drop both the dentry reference (as<br /> the current code does) and mnt one - it&amp;#39;s OK to do under namespace_sem,<br /> since we are not dropping the final refs.<br /> <br /> That solves the problem on do_lock_mount() side; unlock_mount()<br /> also has one, since dentry is guaranteed to stay pinned only until<br /> the namespace_unlock(). That&amp;#39;s easy to fix - just have inode_unlock()<br /> done earlier, while it&amp;#39;s still pinned by mp-&gt;m_dentry.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: leds: fix memory leak<br /> <br /> A network restart test on a router led to an out-of-memory condition,<br /> which was traced to a memory leak in the PHY LED trigger code.<br /> <br /> The root cause is misuse of the devm API. The registration function<br /> (phy_led_triggers_register) is called from phy_attach_direct, not<br /> phy_probe, and the unregister function (phy_led_triggers_unregister)<br /> is called from phy_detach, not phy_remove. This means the register and<br /> unregister functions can be called multiple times for the same PHY<br /> device, but devm-allocated memory is not freed until the driver is<br /> unbound.<br /> <br /> This also prevents kmemleak from detecting the leak, as the devm API<br /> internally stores the allocated pointer.<br /> <br /> Fix this by replacing devm_kzalloc/devm_kcalloc with standard<br /> kzalloc/kcalloc, and add the corresponding kfree calls in the unregister<br /> path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pds_core: Prevent possible adminq overflow/stuck condition<br /> <br /> The pds_core&amp;#39;s adminq is protected by the adminq_lock, which prevents<br /> more than 1 command to be posted onto it at any one time. This makes it<br /> so the client drivers cannot simultaneously post adminq commands.<br /> However, the completions happen in a different context, which means<br /> multiple adminq commands can be posted sequentially and all waiting<br /> on completion.<br /> <br /> On the FW side, the backing adminq request queue is only 16 entries<br /> long and the retry mechanism and/or overflow/stuck prevention is<br /> lacking. This can cause the adminq to get stuck, so commands are no<br /> longer processed and completions are no longer sent by the FW.<br /> <br /> As an initial fix, prevent more than 16 outstanding adminq commands so<br /> there&amp;#39;s no way to cause the adminq from getting stuck. This works<br /> because the backing adminq request queue will never have more than 16<br /> pending adminq commands, so it will never overflow. This is done by<br /> reducing the adminq depth to 16.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()<br /> <br /> The function brcmf_usb_dl_writeimage() calls the function<br /> brcmf_usb_dl_cmd() but dose not check its return value. The<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized if the<br /> function brcmf_usb_dl_cmd() fails. It is dangerous to use<br /> uninitialized variables in the conditions.<br /> <br /> Add error handling for brcmf_usb_dl_cmd() to jump to error<br /> handling path if the brcmf_usb_dl_cmd() fails and the<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized.<br /> <br /> Improve the error message to report more detailed error<br /> information.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Fix double SIGFPE crash<br /> <br /> Camm noticed that on parisc a SIGFPE exception will crash an application with<br /> a second SIGFPE in the signal handler. Dave analyzed it, and it happens<br /> because glibc uses a double-word floating-point store to atomically update<br /> function descriptors. As a result of lazy binding, we hit a floating-point<br /> store in fpe_func almost immediately.<br /> <br /> When the T bit is set, an assist exception trap occurs when when the<br /> co-processor encounters *any* floating-point instruction except for a double<br /> store of register %fr0. The latter cancels all pending traps. Let&amp;#39;s fix this<br /> by clearing the Trap (T) bit in the FP status register before returning to the<br /> signal handler in userspace.<br /> <br /> The issue can be reproduced with this test program:<br /> <br /> root@parisc:~# cat fpe.c<br /> <br /> static void fpe_func(int sig, siginfo_t *i, void *v) {<br /> sigset_t set;<br /> sigemptyset(&amp;set);<br /> sigaddset(&amp;set, SIGFPE);<br /> sigprocmask(SIG_UNBLOCK, &amp;set, NULL);<br /> printf("GOT signal %d with si_code %ld\n", sig, i-&gt;si_code);<br /> }<br /> <br /> int main() {<br /> struct sigaction action = {<br /> .sa_sigaction = fpe_func,<br /> .sa_flags = SA_RESTART|SA_SIGINFO };<br /> sigaction(SIGFPE, &amp;action, 0);<br /> feenableexcept(FE_OVERFLOW);<br /> return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);<br /> }<br /> <br /> root@parisc:~# gcc fpe.c -lm<br /> root@parisc:~# ./a.out<br /> Floating point exception<br /> <br /> root@parisc:~# strace -f ./a.out<br /> execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0<br /> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0<br /> ...<br /> rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---<br /> +++ killed by SIGFPE +++<br /> Floating point exception

This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions:<br /> <br /> 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server<br /> <br /> 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server<br /> <br /> This PrivEsc (Privilege Escalation) vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileged user. <br /> <br /> Atlassian recommends that Jira Core Data Center and Server and Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> <br /> Jira Core Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.20<br /> <br /> Jira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.20<br /> <br /> Jira Core Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Service Management Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Core Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Service Management Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Core Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> Jira Service Management Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> See the release notes. You can download the latest version of Jira Core Data Center and Jira Service Management Data Center from the download center. <br /> <br /> This vulnerability was reported via our Atlassian (Internal) program.