Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bonding: fix NULL deref in bond_rr_gen_slave_id<br /> <br /> Fix a NULL dereference of the struct bonding.rr_tx_counter member because<br /> if a bond is initially created with an initial mode != zero (Round Robin)<br /> the memory required for the counter is never created and when the mode is<br /> changed there is never any attempt to verify the memory is allocated upon<br /> switching modes.<br /> <br /> This causes the following Oops on an aarch64 machine:<br /> [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000<br /> [ 334.694703] Mem abort info:<br /> [ 334.697486] ESR = 0x0000000096000004<br /> [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 334.706536] SET = 0, FnV = 0<br /> [ 334.709579] EA = 0, S1PTW = 0<br /> [ 334.712719] FSC = 0x04: level 0 translation fault<br /> [ 334.717586] Data abort info:<br /> [ 334.720454] ISV = 0, ISS = 0x00000004<br /> [ 334.724288] CM = 0, WnR = 0<br /> [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000<br /> [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000<br /> [ 334.740734] Internal error: Oops: 96000004 [#1] SMP<br /> [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon<br /> [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4<br /> [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021<br /> [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]<br /> [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]<br /> [ 334.807962] sp : ffff8000221733e0<br /> [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c<br /> [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000<br /> [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0<br /> [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014<br /> [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62<br /> [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000<br /> [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec<br /> [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742<br /> [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400<br /> [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0<br /> [ 334.882532] Call trace:<br /> [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]<br /> [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]<br /> [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]<br /> [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]<br /> [ 334.905622] dev_hard_start_xmit+0xb4/0x220<br /> [ 334.909798] __dev_queue_xmit+0x1a0/0x720<br /> [ 334.913799] arp_xmit+0x3c/0xbc<br /> [ 334.916932] arp_send_dst+0x98/0xd0<br /> [ 334.920410] arp_solicit+0xe8/0x230<br /> [ 334.923888] neigh_probe+0x60/0xb0<br /> [ 334.927279] __neigh_event_send+0x3b0/0x470<br /> [ 334.931453] neigh_resolve_output+0x70/0x90<br /> [ 334.935626] ip_finish_output2+0x158/0x514<br /> [ 334.939714] __ip_finish_output+0xac/0x1a4<br /> [ 334.943800] ip_finish_output+0x40/0xfc<br /> [ 334.947626] ip_output+0xf8/0x1a4<br /> [ 334.950931] ip_send_skb+0x5c/0x100<br /> [ 334.954410] ip_push_pending_frames+0x3c/0x60<br /> [ 334.958758] raw_sendmsg+0x458/0x6d0<br /> [ 334.962325] inet_sendmsg+0x50/0x80<br /> [ 334.965805] sock_sendmsg+0x60/0x6c<br /> [ 334.969286] __sys_sendto+0xc8/0x134<br /> [ 334.972853] __arm64_sys_sendto+0x34/0x4c<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ebtables: fix memory leak when blob is malformed<br /> <br /> The bug fix was incomplete, it "replaced" crash with a memory leak.<br /> The old code had an assignment to "ret" embedded into the conditional,<br /> restore this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: SOF: Add some bounds checking to firmware data<br /> <br /> Smatch complains about "head-&gt;full_size - head-&gt;header_size" can<br /> underflow. To some extent, we&amp;#39;re always going to have to trust the<br /> firmware a bit. However, it&amp;#39;s easy enough to add a check for negatives,<br /> and let&amp;#39;s add a upper bounds check as well.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential UAF in cifs_debug_files_proc_show()<br /> <br /> Skip sessions that are being teared down (status == SES_EXITING) to<br /> avoid UAF.

An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.

An issue was discovered in Logpoint before 7.1.1. Template injection was seen in the search template. The search template uses jinja templating for generating dynamic data. This could be abused to achieve code execution. Any user with access to create a search template can leverage this to execute code as the loginspect user.

An issue was discovered in Logpoint 7.1 before 7.1.2. The daily executed cron file clean_secbi_old_logs is writable by all users and is executed as root, leading to privilege escalation.

A vulnerability, which was classified as critical, has been found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this issue is some unknown functionality of the file /doctor/view-appointment-detail.php. The manipulation of the argument editid leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-262226 is the identifier assigned to this vulnerability.

phpecc, as used in paragonie/phpecc before 2.0.1, has a branch-based timing leak in Point addition. (This is related to phpecc/phpecc on GitHub, and the Matyas Danter ECC library.)

A vulnerability classified as problematic was found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file appointment-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262225 was assigned to this vulnerability.

A vulnerability classified as critical has been found in Contemporary Controls BASrouter BACnet BASRT-B 2.7.2. Affected is an unknown function of the component Device-Communication-Control Service. The manipulation with the input 55ff0500370015f30104025506110afb7519035d0841e4bece257b6acfc71f leads to denial of service. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-262224. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda A301 15.13.08.12_multi_TDE01. It has been rated as critical. This issue affects the function formAddMacfilterRule of the file /goform/setBlackRule. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-262223. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.