Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/qxl: Add check for drm_cvt_mode<br /> <br /> Add check for the return value of drm_cvt_mode() and return the error if<br /> it fails in order to avoid NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> leds: trigger: Unregister sysfs attributes before calling deactivate()<br /> <br /> Triggers which have trigger specific sysfs attributes typically store<br /> related data in trigger-data allocated by the activate() callback and<br /> freed by the deactivate() callback.<br /> <br /> Calling device_remove_groups() after calling deactivate() leaves a window<br /> where the sysfs attributes show/store functions could be called after<br /> deactivation and then operate on the just freed trigger-data.<br /> <br /> Move the device_remove_groups() call to before deactivate() to close<br /> this race window.<br /> <br /> This also makes the deactivation path properly do things in reverse order<br /> of the activation path which calls the activate() callback before calling<br /> device_add_groups().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Handle invalid decoder vsi<br /> <br /> Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi<br /> is valid for future use.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/uv: Don&amp;#39;t call folio_wait_writeback() without a folio reference<br /> <br /> folio_wait_writeback() requires that no spinlocks are held and that<br /> a folio reference is held, as documented. After we dropped the PTL, the<br /> folio could get freed concurrently. So grab a temporary reference.

The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the &amp;#39;subscriptionCouponId&amp;#39; parameter via the &amp;#39;create_stripe_subscription&amp;#39; REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the &amp;#39;couponId&amp;#39; parameter of the &amp;#39;recreate_stripe_subscription&amp;#39; REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: mxs-dcp - Ensure payload is zero when using key slot<br /> <br /> We could leak stack memory through the payload field when running<br /> AES with a key from one of the hardware&amp;#39;s key slots. Fix this by<br /> ensuring the payload field is set to 0 in such cases.<br /> <br /> This does not affect the common use case when the key is supplied<br /> from main memory via the descriptor payload.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Revise lpfc_prep_embed_io routine with proper endian macro usages<br /> <br /> On big endian architectures, it is possible to run into a memory out of<br /> bounds pointer dereference when FCP targets are zoned.<br /> <br /> In lpfc_prep_embed_io, the memcpy(ptr, fcp_cmnd, sgl-&gt;sge_len) is<br /> referencing a little endian formatted sgl-&gt;sge_len value. So, the memcpy<br /> can cause big endian systems to crash.<br /> <br /> Redefine the *sgl ptr as a struct sli4_sge_le to make it clear that we are<br /> referring to a little endian formatted data structure. And, update the<br /> routine with proper le32_to_cpu macro usages.

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.

A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes<br /> <br /> In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()<br /> is assigned to mode, which will lead to a NULL pointer dereference on<br /> failure of drm_mode_duplicate(). Add a check to avoid npd.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()<br /> <br /> Syzbot reports uninitialized value access issue as below:<br /> <br /> loop0: detected capacity change from 0 to 64<br /> =====================================================<br /> BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30<br /> hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30<br /> d_revalidate fs/namei.c:862 [inline]<br /> lookup_fast+0x89e/0x8e0 fs/namei.c:1649<br /> walk_component fs/namei.c:2001 [inline]<br /> link_path_walk+0x817/0x1480 fs/namei.c:2332<br /> path_lookupat+0xd9/0x6f0 fs/namei.c:2485<br /> filename_lookup+0x22e/0x740 fs/namei.c:2515<br /> user_path_at_empty+0x8b/0x390 fs/namei.c:2924<br /> user_path_at include/linux/namei.h:57 [inline]<br /> do_mount fs/namespace.c:3689 [inline]<br /> __do_sys_mount fs/namespace.c:3898 [inline]<br /> __se_sys_mount+0x66b/0x810 fs/namespace.c:3875<br /> __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]<br /> BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366<br /> hfs_ext_read_extent fs/hfs/extent.c:196 [inline]<br /> hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366<br /> block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271<br /> hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39<br /> filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426<br /> do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553<br /> do_read_cache_page mm/filemap.c:3595 [inline]<br /> read_cache_page+0xfb/0x2f0 mm/filemap.c:3604<br /> read_mapping_page include/linux/pagemap.h:755 [inline]<br /> hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78<br /> hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204<br /> hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406<br /> mount_bdev+0x628/0x920 fs/super.c:1359<br /> hfs_mount+0xcd/0xe0 fs/hfs/super.c:456<br /> legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610<br /> vfs_get_tree+0xdc/0x5d0 fs/super.c:1489<br /> do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145<br /> path_mount+0xf98/0x26a0 fs/namespace.c:3475<br /> do_mount fs/namespace.c:3488 [inline]<br /> __do_sys_mount fs/namespace.c:3697 [inline]<br /> __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674<br /> __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674<br /> do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]<br /> __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178<br /> do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203<br /> do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246<br /> entry_SYSENTER_compat_after_hwframe+0x70/0x82<br /> <br /> Uninit was created at:<br /> __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590<br /> __alloc_pages_node include/linux/gfp.h:238 [inline]<br /> alloc_pages_node include/linux/gfp.h:261 [inline]<br /> alloc_slab_page mm/slub.c:2190 [inline]<br /> allocate_slab mm/slub.c:2354 [inline]<br /> new_slab+0x2d7/0x1400 mm/slub.c:2407<br /> ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540<br /> __slab_alloc mm/slub.c:3625 [inline]<br /> __slab_alloc_node mm/slub.c:3678 [inline]<br /> slab_alloc_node mm/slub.c:3850 [inline]<br /> kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879<br /> alloc_inode_sb include/linux/fs.h:3018 [inline]<br /> hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165<br /> alloc_inode+0x83/0x440 fs/inode.c:260<br /> new_inode_pseudo fs/inode.c:1005 [inline]<br /> new_inode+0x38/0x4f0 fs/inode.c:1031<br /> hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186<br /> hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228<br /> vfs_mkdir+0x49a/0x700 fs/namei.c:4126<br /> do_mkdirat+0x529/0x810 fs/namei.c:4149<br /> __do_sys_mkdirat fs/namei.c:4164 [inline]<br /> __se_sys_mkdirat fs/namei.c:4162 [inline]<br /> __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> It missed to initialize .tz_secondswest, .cached_start and .cached_blocks<br /> fields in struct hfs_inode_info after hfs_alloc_inode(), fix it.