Vulnerabilidades

*** Pendiente de traducción *** Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter.

*** Pendiente de traducción *** MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: replace overzealous BUG_ON in osdmap_apply_incremental()<br /> <br /> If the osdmap is (maliciously) corrupted such that the incremental<br /> osdmap epoch is different from what is expected, there is no need to<br /> BUG. Instead, just declare the incremental osdmap to be invalid.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: make free_choose_arg_map() resilient to partial allocation<br /> <br /> free_choose_arg_map() may dereference a NULL pointer if its caller fails<br /> after a partial allocation.<br /> <br /> For example, in decode_choose_args(), if allocation of arg_map-&gt;args<br /> fails, execution jumps to the fail label and free_choose_arg_map() is<br /> called. Since arg_map-&gt;size is updated to a non-zero value before memory<br /> allocation, free_choose_arg_map() will iterate over arg_map-&gt;args and<br /> dereference a NULL pointer.<br /> <br /> To prevent this potential NULL pointer dereference and make<br /> free_choose_arg_map() more resilient, add checks for pointers before<br /> iterating.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: return the handler error from mon_handle_auth_done()<br /> <br /> Currently any error from ceph_auth_handle_reply_done() is propagated<br /> via finish_auth() but isn&amp;#39;t returned from mon_handle_auth_done(). This<br /> results in higher layers learning that (despite the monitor considering<br /> us to be successfully authenticated) something went wrong in the<br /> authentication phase and reacting accordingly, but msgr2 still trying<br /> to proceed with establishing the session in the background. In the<br /> case of secure mode this can trigger a WARN in setup_crypto() and later<br /> lead to a NULL pointer dereference inside of prepare_auth_signature().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: Fix RSS LUT NULL ptr issue after soft reset<br /> <br /> During soft reset, the RSS LUT is freed and not restored unless the<br /> interface is up. If an ethtool command that accesses the rss lut is<br /> attempted immediately after reset, it will result in NULL ptr<br /> dereference. Also, there is no need to reset the rss lut if the soft reset<br /> does not involve queue count change.<br /> <br /> After soft reset, set the RSS LUT to default values based on the updated<br /> queue count only if the reset was a result of a queue count change and<br /> the LUT was not configured by the user. In all other cases, don&amp;#39;t touch<br /> the LUT.<br /> <br /> Steps to reproduce:<br /> <br /> ** Bring the interface down (if up)<br /> ifconfig eth1 down<br /> <br /> ** update the queue count (eg., 27-&gt;20)<br /> ethtool -L eth1 combined 20<br /> <br /> ** display the RSS LUT<br /> ethtool -x eth1<br /> <br /> [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [82375.558373] #PF: supervisor read access in kernel mode<br /> [82375.558391] #PF: error_code(0x0000) - not-present page<br /> [82375.558408] PGD 0 P4D 0<br /> [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI<br /> <br /> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]<br /> [82375.558786] Call Trace:<br /> [82375.558793] <br /> [82375.558804] rss_prepare.isra.0+0x187/0x2a0<br /> [82375.558827] rss_prepare_data+0x3a/0x50<br /> [82375.558845] ethnl_default_doit+0x13d/0x3e0<br /> [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180<br /> [82375.558886] genl_rcv_msg+0x1ad/0x2b0<br /> [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10<br /> [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10<br /> [82375.558937] netlink_rcv_skb+0x58/0x100<br /> [82375.558957] genl_rcv+0x2c/0x50<br /> [82375.558971] netlink_unicast+0x289/0x3e0<br /> [82375.558988] netlink_sendmsg+0x215/0x440<br /> [82375.559005] __sys_sendto+0x234/0x240<br /> [82375.559555] __x64_sys_sendto+0x28/0x30<br /> [82375.560068] x64_sys_call+0x1909/0x1da0<br /> [82375.560576] do_syscall_64+0x7a/0xfa0<br /> [82375.561076] ? clear_bhb_loop+0x60/0xb0<br /> [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix reference count leak in bpf_prog_test_run_xdp()<br /> <br /> syzbot is reporting<br /> <br /> unregister_netdevice: waiting for sit0 to become free. Usage count = 2<br /> <br /> problem. A debug printk() patch found that a refcount is obtained at<br /> xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().<br /> <br /> According to commit ec94670fcb3b ("bpf: Support specifying ingress via<br /> xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by<br /> xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().<br /> <br /> Therefore, we can consider that the error handling path introduced by<br /> commit 1c1949982524 ("bpf: introduce frags support to<br /> bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: fix use-after-free in ublk_partition_scan_work<br /> <br /> A race condition exists between the async partition scan work and device<br /> teardown that can lead to a use-after-free of ub-&gt;ub_disk:<br /> <br /> 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()<br /> 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:<br /> - del_gendisk(ub-&gt;ub_disk)<br /> - ublk_detach_disk() sets ub-&gt;ub_disk = NULL<br /> - put_disk() which may free the disk<br /> 3. The worker ublk_partition_scan_work() then dereferences ub-&gt;ub_disk<br /> leading to UAF<br /> <br /> Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold<br /> a reference to the disk during the partition scan. The spinlock in<br /> ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker<br /> either gets a valid reference or sees NULL and exits early.<br /> <br /> Also change flush_work() to cancel_work_sync() to avoid running the<br /> partition scan work unnecessarily when the disk is already detached.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpiolib: fix race condition for gdev-&gt;srcu<br /> <br /> If two drivers were calling gpiochip_add_data_with_key(), one may be<br /> traversing the srcu-protected list in gpio_name_to_desc(), meanwhile<br /> other has just added its gdev in gpiodev_add_to_list_unlocked().<br /> This creates a non-mutexed and non-protected timeframe, when one<br /> instance is dereferencing and using &amp;gdev-&gt;srcu, before the other<br /> has initialized it, resulting in crash:<br /> <br /> [ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000<br /> [ 4.943396] Mem abort info:<br /> [ 4.943400] ESR = 0x0000000096000005<br /> [ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 4.943407] SET = 0, FnV = 0<br /> [ 4.943410] EA = 0, S1PTW = 0<br /> [ 4.943413] FSC = 0x05: level 1 translation fault<br /> [ 4.943416] Data abort info:<br /> [ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br /> [ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000<br /> [ 4.961449] [ffff800272bcc000] pgd=0000000000000000<br /> [ 4.969203] , p4d=1000000039739003<br /> [ 4.979730] , pud=0000000000000000<br /> [ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset"<br /> [ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br /> ...<br /> [ 5.121359] pc : __srcu_read_lock+0x44/0x98<br /> [ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0<br /> [ 5.153671] sp : ffff8000833bb430<br /> [ 5.298440]<br /> [ 5.298443] Call trace:<br /> [ 5.298445] __srcu_read_lock+0x44/0x98<br /> [ 5.309484] gpio_name_to_desc+0x60/0x1a0<br /> [ 5.320692] gpiochip_add_data_with_key+0x488/0xf00<br /> 5.946419] ---[ end trace 0000000000000000 ]---<br /> <br /> Move initialization code for gdev fields before it is added to<br /> gpio_devices, with adjacent initialization code.<br /> Adjust goto statements to reflect modified order of operations<br /> <br /> [Bartosz: fixed a build issue, removed stray newline]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy<br /> <br /> syzbot reported a crash in tc_act_in_hw() during netns teardown where<br /> tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action<br /> pointer, leading to an invalid dereference.<br /> <br /> Guard against ERR_PTR entries when iterating the action IDR so teardown<br /> does not call tc_act_in_hw() on an error pointer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arp: do not assume dev_hard_header() does not change skb-&gt;head<br /> <br /> arp_create() is the only dev_hard_header() caller<br /> making assumption about skb-&gt;head being unchanged.<br /> <br /> A recent commit broke this assumption.<br /> <br /> Initialize @arp pointer after dev_hard_header() call.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: check that server is running in unlock_filesystem<br /> <br /> If we are trying to unlock the filesystem via an administrative<br /> interface and nfsd isn&amp;#39;t running, it crashes the server. This<br /> happens currently because nfsd4_revoke_states() access state<br /> structures (eg., conf_id_hashtbl) that has been freed as a part<br /> of the server shutdown.<br /> <br /> [ 59.465072] Call trace:<br /> [ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)<br /> [ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]<br /> [ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]<br /> [ 59.466780] vfs_write+0x1f0/0x938<br /> [ 59.467088] ksys_write+0xfc/0x1f8<br /> [ 59.467395] __arm64_sys_write+0x74/0xb8<br /> [ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8<br /> [ 59.468177] do_el0_svc+0x154/0x1d8<br /> [ 59.468489] el0_svc+0x40/0xe0<br /> [ 59.468767] el0t_64_sync_handler+0xa0/0xe8<br /> [ 59.469138] el0t_64_sync+0x1ac/0x1b0<br /> <br /> Ensure this can&amp;#39;t happen by taking the nfsd_mutex and checking that<br /> the server is still up, and then holding the mutex across the call to<br /> nfsd4_revoke_states().