Vulnerabilities

Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads.

MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget.

dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. Attackers can craft a malicious file with carefully constructed payload and alignment sections to potentially execute arbitrary code on the Windows system.

Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter.

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: replace overzealous BUG_ON in osdmap_apply_incremental()<br /> <br /> If the osdmap is (maliciously) corrupted such that the incremental<br /> osdmap epoch is different from what is expected, there is no need to<br /> BUG. Instead, just declare the incremental osdmap to be invalid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: make free_choose_arg_map() resilient to partial allocation<br /> <br /> free_choose_arg_map() may dereference a NULL pointer if its caller fails<br /> after a partial allocation.<br /> <br /> For example, in decode_choose_args(), if allocation of arg_map-&gt;args<br /> fails, execution jumps to the fail label and free_choose_arg_map() is<br /> called. Since arg_map-&gt;size is updated to a non-zero value before memory<br /> allocation, free_choose_arg_map() will iterate over arg_map-&gt;args and<br /> dereference a NULL pointer.<br /> <br /> To prevent this potential NULL pointer dereference and make<br /> free_choose_arg_map() more resilient, add checks for pointers before<br /> iterating.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: return the handler error from mon_handle_auth_done()<br /> <br /> Currently any error from ceph_auth_handle_reply_done() is propagated<br /> via finish_auth() but isn&amp;#39;t returned from mon_handle_auth_done(). This<br /> results in higher layers learning that (despite the monitor considering<br /> us to be successfully authenticated) something went wrong in the<br /> authentication phase and reacting accordingly, but msgr2 still trying<br /> to proceed with establishing the session in the background. In the<br /> case of secure mode this can trigger a WARN in setup_crypto() and later<br /> lead to a NULL pointer dereference inside of prepare_auth_signature().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: Fix RSS LUT NULL ptr issue after soft reset<br /> <br /> During soft reset, the RSS LUT is freed and not restored unless the<br /> interface is up. If an ethtool command that accesses the rss lut is<br /> attempted immediately after reset, it will result in NULL ptr<br /> dereference. Also, there is no need to reset the rss lut if the soft reset<br /> does not involve queue count change.<br /> <br /> After soft reset, set the RSS LUT to default values based on the updated<br /> queue count only if the reset was a result of a queue count change and<br /> the LUT was not configured by the user. In all other cases, don&amp;#39;t touch<br /> the LUT.<br /> <br /> Steps to reproduce:<br /> <br /> ** Bring the interface down (if up)<br /> ifconfig eth1 down<br /> <br /> ** update the queue count (eg., 27-&gt;20)<br /> ethtool -L eth1 combined 20<br /> <br /> ** display the RSS LUT<br /> ethtool -x eth1<br /> <br /> [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [82375.558373] #PF: supervisor read access in kernel mode<br /> [82375.558391] #PF: error_code(0x0000) - not-present page<br /> [82375.558408] PGD 0 P4D 0<br /> [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI<br /> <br /> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]<br /> [82375.558786] Call Trace:<br /> [82375.558793] <br /> [82375.558804] rss_prepare.isra.0+0x187/0x2a0<br /> [82375.558827] rss_prepare_data+0x3a/0x50<br /> [82375.558845] ethnl_default_doit+0x13d/0x3e0<br /> [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180<br /> [82375.558886] genl_rcv_msg+0x1ad/0x2b0<br /> [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10<br /> [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10<br /> [82375.558937] netlink_rcv_skb+0x58/0x100<br /> [82375.558957] genl_rcv+0x2c/0x50<br /> [82375.558971] netlink_unicast+0x289/0x3e0<br /> [82375.558988] netlink_sendmsg+0x215/0x440<br /> [82375.559005] __sys_sendto+0x234/0x240<br /> [82375.559555] __x64_sys_sendto+0x28/0x30<br /> [82375.560068] x64_sys_call+0x1909/0x1da0<br /> [82375.560576] do_syscall_64+0x7a/0xfa0<br /> [82375.561076] ? clear_bhb_loop+0x60/0xb0<br /> [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix reference count leak in bpf_prog_test_run_xdp()<br /> <br /> syzbot is reporting<br /> <br /> unregister_netdevice: waiting for sit0 to become free. Usage count = 2<br /> <br /> problem. A debug printk() patch found that a refcount is obtained at<br /> xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().<br /> <br /> According to commit ec94670fcb3b ("bpf: Support specifying ingress via<br /> xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by<br /> xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().<br /> <br /> Therefore, we can consider that the error handling path introduced by<br /> commit 1c1949982524 ("bpf: introduce frags support to<br /> bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: fix use-after-free in ublk_partition_scan_work<br /> <br /> A race condition exists between the async partition scan work and device<br /> teardown that can lead to a use-after-free of ub-&gt;ub_disk:<br /> <br /> 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()<br /> 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:<br /> - del_gendisk(ub-&gt;ub_disk)<br /> - ublk_detach_disk() sets ub-&gt;ub_disk = NULL<br /> - put_disk() which may free the disk<br /> 3. The worker ublk_partition_scan_work() then dereferences ub-&gt;ub_disk<br /> leading to UAF<br /> <br /> Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold<br /> a reference to the disk during the partition scan. The spinlock in<br /> ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker<br /> either gets a valid reference or sees NULL and exits early.<br /> <br /> Also change flush_work() to cancel_work_sync() to avoid running the<br /> partition scan work unnecessarily when the disk is already detached.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: provide locking for v4_end_grace<br /> <br /> Writing to v4_end_grace can race with server shutdown and result in<br /> memory being accessed after it was freed - reclaim_str_hashtbl in<br /> particularly.<br /> <br /> We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is<br /> held while client_tracking_op-&gt;init() is called and that can wait for<br /> an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a<br /> deadlock.<br /> <br /> nfsd4_end_grace() is also called by the landromat work queue and this<br /> doesn&amp;#39;t require locking as server shutdown will stop the work and wait<br /> for it before freeing anything that nfsd4_end_grace() might access.<br /> <br /> However, we must be sure that writing to v4_end_grace doesn&amp;#39;t restart<br /> the work item after shutdown has already waited for it. For this we<br /> add a new flag protected with nn-&gt;client_lock. It is set only while it<br /> is safe to make client tracking calls, and v4_end_grace only schedules<br /> work while the flag is set with the spinlock held.<br /> <br /> So this patch adds a nfsd_net field "client_tracking_active" which is<br /> set as described. Another field "grace_end_forced", is set when<br /> v4_end_grace is written. After this is set, and providing<br /> client_tracking_active is set, the laundromat is scheduled.<br /> This "grace_end_forced" field bypasses other checks for whether the<br /> grace period has finished.<br /> <br /> This resolves a race which can result in use-after-free.