Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix differential encoding verification<br /> <br /> Differential encoding allows loops to be created if it is abused. To<br /> prevent this the unpack should verify that a diff-encode chain<br /> terminates.<br /> <br /> Unfortunately the differential encode verification had two bugs.<br /> <br /> 1. it conflated states that had gone through check and already been<br /> marked, with states that were currently being checked and marked.<br /> This means that loops in the current chain being verified are treated<br /> as a chain that has already been verified.<br /> <br /> 2. the order bailout on already checked states compared current chain<br /> check iterators j,k instead of using the outer loop iterator i.<br /> Meaning a step backwards in states in the current chain verification<br /> was being mistaken for moving to an already verified state.<br /> <br /> Move to a double mark scheme where already verified states get a<br /> different mark, than the current chain being kept. This enables us<br /> to also drop the backwards verification check that was the cause of<br /> the second error as any already verified state is already marked.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE<br /> <br /> When installing an emulated MMIO SPTE, do so *after* dropping/zapping the<br /> existing SPTE (if it&amp;#39;s shadow-present). While commit a54aa15c6bda3 was<br /> right about it being impossible to convert a shadow-present SPTE to an<br /> MMIO SPTE due to a _guest_ write, it failed to account for writes to guest<br /> memory that are outside the scope of KVM.<br /> <br /> E.g. if host userspace modifies a shadowed gPTE to switch from a memslot<br /> to emulted MMIO and then the guest hits a relevant page fault, KVM will<br /> install the MMIO SPTE without first zapping the shadow-present SPTE.<br /> <br /> ------------[ cut here ]------------<br /> is_shadow_present_pte(*sptep)<br /> WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292<br /> Modules linked in: kvm_intel kvm irqbypass<br /> CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br /> RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]<br /> Call Trace:<br /> <br /> mmu_set_spte+0x237/0x440 [kvm]<br /> ept_page_fault+0x535/0x7f0 [kvm]<br /> kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]<br /> kvm_mmu_page_fault+0x8d/0x620 [kvm]<br /> vmx_handle_exit+0x18c/0x5a0 [kvm_intel]<br /> kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]<br /> kvm_vcpu_ioctl+0x2d5/0x980 [kvm]<br /> __x64_sys_ioctl+0x8a/0xd0<br /> do_syscall_64+0xb5/0x730<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x47fa3f<br /> <br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE<br /> <br /> Adjust KVM&amp;#39;s sanity check against overwriting a shadow-present SPTE with a<br /> another SPTE with a different target PFN to only apply to direct MMUs,<br /> i.e. only to MMUs without shadowed gPTEs. While it&amp;#39;s impossible for KVM<br /> to overwrite a shadow-present SPTE in response to a guest write, writes<br /> from outside the scope of KVM, e.g. from host userspace, aren&amp;#39;t detected<br /> by KVM&amp;#39;s write tracking and so can break KVM&amp;#39;s shadow paging rules.<br /> <br /> ------------[ cut here ]------------<br /> pfn != spte_to_pfn(*sptep)<br /> WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872<br /> Modules linked in: kvm_intel kvm irqbypass<br /> CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br /> RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm]<br /> Call Trace:<br /> <br /> ept_page_fault+0x535/0x7f0 [kvm]<br /> kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]<br /> kvm_mmu_page_fault+0x8d/0x620 [kvm]<br /> vmx_handle_exit+0x18c/0x5a0 [kvm_intel]<br /> kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]<br /> kvm_vcpu_ioctl+0x2d5/0x980 [kvm]<br /> __x64_sys_ioctl+0x8a/0xd0<br /> do_syscall_64+0xb5/0x730<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix memory leak in verify_header<br /> <br /> The function sets `*ns = NULL` on every call, leaking the namespace<br /> string allocated in previous iterations when multiple profiles are<br /> unpacked. This also breaks namespace consistency checking since *ns<br /> is always NULL when the comparison is made.<br /> <br /> Remove the incorrect assignment.<br /> The caller (aa_unpack) initializes *ns to NULL once before the loop,<br /> which is sufficient.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: replace recursive profile removal with iterative approach<br /> <br /> The profile removal code uses recursion when removing nested profiles,<br /> which can lead to kernel stack exhaustion and system crashes.<br /> <br /> Reproducer:<br /> $ pf=&amp;#39;a&amp;#39;; for ((i=0; i /sys/kernel/security/apparmor/.remove<br /> <br /> Replace the recursive __aa_profile_list_release() approach with an<br /> iterative approach in __remove_profile(). The function repeatedly<br /> finds and removes leaf profiles until the entire subtree is removed,<br /> maintaining the same removal semantic without recursion.

Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application version(s) 5.28.00.xx to 5.32.00.xx, contain(s) an Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability. A high privileged attacker within the management network could potentially exploit this vulnerability, leading to remote execution.

PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary system files.

A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the component Alarm Preview. Executing a manipulation can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.<br /> <br /> Some keywords representing actions taken on a packet-matching rule, such as &amp;#39;log&amp;#39;, &amp;#39;return tll&amp;#39;, or &amp;#39;dnpipe&amp;#39;, may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.<br /> <br /> Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.

A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _get_file of the file iopaint/file_manager/file_manager.py of the component File Manager. Performing a manipulation of the argument filename results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /modify.php of the component Parameter Handler. This manipulation of the argument firstName causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

A vulnerability has been found in code-projects Simple Laundry System 1.0. This issue affects some unknown processing of the file /delstaffinfo.php of the component Parameter Handler. Such manipulation of the argument userid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.