Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()<br /> <br /> On the off chance that command stream passed from userspace via<br /> ioctl() call to radeon_vce_cs_parse() is weirdly crafted and<br /> first command to execute is to encode (case 0x03000001), the function<br /> in question will attempt to call radeon_vce_cs_reloc() with size<br /> argument that has not been properly initialized. Specifically, &amp;#39;size&amp;#39;<br /> will point to &amp;#39;tmp&amp;#39; variable before the latter had a chance to be<br /> assigned any value.<br /> <br /> Play it safe and init &amp;#39;tmp&amp;#39; with 0, thus ensuring that<br /> radeon_vce_cs_reloc() will catch an early error in cases like these.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with static<br /> analysis tool SVACE.<br /> <br /> (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xsk: fix an integer overflow in xp_create_and_assign_umem()<br /> <br /> Since the i and pool-&gt;chunk_size variables are of type &amp;#39;u32&amp;#39;,<br /> their product can wrap around and then be cast to &amp;#39;u64&amp;#39;.<br /> This can lead to two different XDP buffers pointing to the same<br /> memory area.<br /> <br /> Found by InfoTeCS on behalf of Linux Verification Center<br /> (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> proc: fix UAF in proc_get_inode()<br /> <br /> Fix race between rmmod and /proc/XXX&amp;#39;s inode instantiation.<br /> <br /> The bug is that pde-&gt;proc_ops don&amp;#39;t belong to /proc, it belongs to a<br /> module, therefore dereferencing it after /proc entry has been registered<br /> is a bug unless use_pde/unuse_pde() pair has been used.<br /> <br /> use_pde/unuse_pde can be avoided (2 atomic ops!) because pde-&gt;proc_ops<br /> never changes so information necessary for inode instantiation can be<br /> saved _before_ proc_register() in PDE itself and used later, avoiding<br /> pde-&gt;proc_ops-&gt;... dereference.<br /> <br /> rmmod lookup<br /> sys_delete_module<br /> proc_lookup_de<br /> pde_get(de);<br /> proc_get_inode(dir-&gt;i_sb, de);<br /> mod-&gt;exit()<br /> proc_remove<br /> remove_proc_subtree<br /> proc_entry_rundown(de);<br /> free_module(mod);<br /> <br /> if (S_ISREG(inode-&gt;i_mode))<br /> if (de-&gt;proc_ops-&gt;proc_read_iter)<br /> --&gt; As module is already freed, will trigger UAF<br /> <br /> BUG: unable to handle page fault for address: fffffbfff80a702b<br /> PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> RIP: 0010:proc_get_inode+0x302/0x6e0<br /> RSP: 0018:ffff88811c837998 EFLAGS: 00010a06<br /> RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007<br /> RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158<br /> RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20<br /> R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0<br /> R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001<br /> FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> proc_lookup_de+0x11f/0x2e0<br /> __lookup_slow+0x188/0x350<br /> walk_component+0x2ab/0x4f0<br /> path_lookupat+0x120/0x660<br /> filename_lookup+0x1ce/0x560<br /> vfs_statx+0xac/0x150<br /> __do_sys_newstat+0x96/0x110<br /> do_syscall_64+0x5f/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> [adobriyan@gmail.com: don&amp;#39;t do 2 atomic ops on the common path]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: atm: fix use after free in lec_send()<br /> <br /> The -&gt;send() operation frees skb so save the length before calling<br /> -&gt;send() to avoid a use after free.

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/sched: Fix fence reference count leak<br /> <br /> The last_scheduled fence leaks when an entity is being killed and adding<br /> the cleanup callback fails.<br /> <br /> Decrement the reference count of prev when dma_fence_add_callback()<br /> fails, ensuring proper balance.<br /> <br /> [phasta: add git tag info for stable kernel]

The Big Boom Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;bbd-search&amp;#39; shortcode in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

A vulnerability has been found in PHPGurukul Boat Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-subadmin.php. The manipulation of the argument sadminusername leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in codeprojects Product Management System 1.0 and classified as problematic. This issue affects some unknown processing of the component Login. The manipulation of the argument Str1 leads to buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, was found in PHPGurukul Bus Pass Management System 1.0. This affects an unknown part of the file /view-pass-detail.php. The manipulation of the argument viewid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

UNIX symbolic link (Symlink) following issue exists in FutureNet NXR series, VXR series and WXR series routers. Attaching to the affected product an external storage containing malicious symbolic link files, a logged-in administrative user may obtain and/or destroy internal files.

A vulnerability, which was classified as problematic, has been found in MindSpore 2.5.0. Affected by this issue is the function mindspore.numpy.fft.rfft2. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.