Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mseal: update VMA end correctly on merge<br /> <br /> Previously we stored the end of the current VMA in curr_end, and then upon<br /> iterating to the next VMA updated curr_start to curr_end to advance to the<br /> next VMA.<br /> <br /> However, this doesn&amp;#39;t take into account the fact that a VMA might be<br /> updated due to a merge by vma_modify_flags(), which can result in curr_end<br /> being stale and thus, upon setting curr_start to curr_end, ending up with<br /> an incorrect curr_start on the next iteration.<br /> <br /> Resolve the issue by setting curr_end to vma-&gt;vm_end unconditionally to<br /> ensure this value remains updated should this occur.<br /> <br /> While we&amp;#39;re here, eliminate this entire class of bug by simply setting<br /> const curr_[start/end] to be clamped to the input range and VMAs, which<br /> also happens to simplify the logic.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()<br /> <br /> During futex_key_to_node_opt() execution, vma-&gt;vm_policy is read under<br /> speculative mmap lock and RCU. Concurrently, mbind() may call<br /> vma_replace_policy() which frees the old mempolicy immediately via<br /> kmem_cache_free().<br /> <br /> This creates a race where __futex_key_to_node() dereferences a freed<br /> mempolicy pointer, causing a use-after-free read of mpol-&gt;mode.<br /> <br /> [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)<br /> [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87<br /> <br /> [ 151.415969] Call Trace:<br /> <br /> [ 151.416732] __asan_load2 (mm/kasan/generic.c:271)<br /> [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)<br /> [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)<br /> <br /> Fix by adding rcu to __mpol_put().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: Purge async_hold in tls_decrypt_async_wait()<br /> <br /> The async_hold queue pins encrypted input skbs while<br /> the AEAD engine references their scatterlist data. Once<br /> tls_decrypt_async_wait() returns, every AEAD operation<br /> has completed and the engine no longer references those<br /> skbs, so they can be freed unconditionally.<br /> <br /> A subsequent patch adds batch async decryption to<br /> tls_sw_read_sock(), introducing a new call site that<br /> must drain pending AEAD operations and release held<br /> skbs. Move __skb_queue_purge(&amp;ctx-&gt;async_hold) into<br /> tls_decrypt_async_wait() so the purge is centralized<br /> and every caller -- recvmsg&amp;#39;s drain path, the -EBUSY<br /> fallback in tls_do_decryption(), and the new read_sock<br /> batch path -- releases held skbs on synchronization<br /> without each site managing the purge independently.<br /> <br /> This fixes a leak when tls_strp_msg_hold() fails part-way through,<br /> after having added some cloned skbs to the async_hold<br /> queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to<br /> process all pending decrypts, and drop back to synchronous mode, but<br /> tls_sw_recvmsg() only flushes the async_hold queue when one record has<br /> been processed in "fully-async" mode, which may not be the case here.<br /> <br /> [pabeni@redhat.com: added leak comment]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clsact: Fix use-after-free in init/destroy rollback asymmetry<br /> <br /> Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.<br /> The latter is achieved by first fully initializing a clsact instance, and<br /> then in a second step having a replacement failure for the new clsact qdisc<br /> instance. clsact_init() initializes ingress first and then takes care of the<br /> egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon<br /> failure, the kernel will trigger the clsact_destroy() callback.<br /> <br /> Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the<br /> way how the transition is happening. If tcf_block_get_ext on the q-&gt;ingress_block<br /> ends up failing, we took the tcx_miniq_inc reference count on the ingress<br /> side, but not yet on the egress side. clsact_destroy() tests whether the<br /> {ingress,egress}_entry was non-NULL. However, even in midway failure on the<br /> replacement, both are in fact non-NULL with a valid egress_entry from the<br /> previous clsact instance.<br /> <br /> What we really need to test for is whether the qdisc instance-specific ingress<br /> or egress side previously got initialized. This adds a small helper for checking<br /> the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon<br /> clsact_destroy() in order to fix the use-after-free scenario. Convert the<br /> ingress_destroy() side as well so both are consistent to each other.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: bpf: defer hook memory release until rcu readers are done<br /> <br /> Yiming Qian reports UaF when concurrent process is dumping hooks via<br /> nfnetlink_hooks:<br /> <br /> BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0<br /> Read of size 8 at addr ffff888003edbf88 by task poc/79<br /> Call Trace:<br /> <br /> nfnl_hook_dump_one.isra.0+0xe71/0x10f0<br /> netlink_dump+0x554/0x12b0<br /> nfnl_hook_get+0x176/0x230<br /> [..]<br /> <br /> Defer release until after concurrent readers have completed.

*** Pendiente de traducción *** A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used.

*** Pendiente de traducción *** Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.<br /> <br /> The multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota.<br /> <br /> An unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.<br /> <br /> This issue affects wisp: from 0.2.0 before 2.2.2.

*** Pendiente de traducción *** A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been made public and could be used. Upgrading to version 7.21 will fix this issue. The patch is named 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

*** Pendiente de traducción *** A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

*** Pendiente de traducción *** An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.

*** Pendiente de traducción *** An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

*** Pendiente de traducción *** An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability.