Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Enforce expected_attach_type for tailcall compatibility<br /> <br /> Yinhao et al. recently reported:<br /> <br /> Our fuzzer tool discovered an uninitialized pointer issue in the<br /> bpf_prog_test_run_xdp() function within the Linux kernel&amp;#39;s BPF subsystem.<br /> This leads to a NULL pointer dereference when a BPF program attempts to<br /> deference the txq member of struct xdp_buff object.<br /> <br /> The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the<br /> entry point for bpf_prog_test_run_xdp() and its expected_attach_type can<br /> neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot<br /> of a tailcall map it owns. progB&amp;#39;s expected_attach_type must be BPF_XDP_DEVMAP<br /> to pass xdp_is_valid_access() validation. The program returns struct xdp_md&amp;#39;s<br /> egress_ifindex, and the latter is only allowed to be accessed under mentioned<br /> expected_attach_type. progB is then inserted into the tailcall which progA<br /> calls.<br /> <br /> The underlying issue goes beyond XDP though. Another example are programs<br /> of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well<br /> as sock_addr_func_proto() have different logic depending on the programs&amp;#39;<br /> expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME<br /> should not be allowed doing a tailcall into a program which calls bpf_bind()<br /> out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.<br /> <br /> In short, specifying expected_attach_type allows to open up additional<br /> functionality or restrictions beyond what the basic bpf_prog_type enables.<br /> The use of tailcalls must not violate these constraints. Fix it by enforcing<br /> expected_attach_type in __bpf_prog_map_compatible().<br /> <br /> Note that we only enforce this for tailcall maps, but not for BPF devmaps or<br /> cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and<br /> cpu_map_bpf_prog_run*() which set up a new environment / context and therefore<br /> these situations are not prone to this issue.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III<br /> <br /> Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios<br /> enabled resulted from copy_from_user() returning impossibly large values<br /> greater than the size to be copied. This lead to __copy_from_iter()<br /> returning impossible values instead of the actual number of bytes it was<br /> able to copy.<br /> <br /> The BUG_ON has been reported in<br /> https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de<br /> <br /> The referenced commit introduced exception handlers on user-space memory<br /> references in copy_from_user and copy_to_user. These handlers return from<br /> the respective function and calculate the remaining bytes left to copy<br /> using the current register contents. The exception handlers expect that<br /> %o2 has already been masked during the bulk copy loop, but the masking was<br /> performed after that loop. This will fix the return value of copy_from_user<br /> and copy_to_user in the faulting case. The behaviour of memcpy stays<br /> unchanged.

*** Pendiente de traducción *** The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;name&amp;#39; parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara<br /> <br /> The referenced commit introduced exception handlers on user-space memory<br /> references in copy_from_user and copy_to_user. These handlers return from<br /> the respective function and calculate the remaining bytes left to copy<br /> using the current register contents. This commit fixes a couple of bad<br /> calculations and a broken epilogue in the exception handlers. This will<br /> prevent crashes and ensure correct return values of copy_from_user and<br /> copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E<br /> <br /> The ADSP firmware on X1E has separate firmware binaries for the main<br /> firmware and the DTB. The same applies for the "lite" firmware loaded by<br /> the boot firmware.<br /> <br /> When preparing to load the new ADSP firmware we shutdown the lite_pas_id<br /> for the main firmware, but we don&amp;#39;t shutdown the corresponding lite pas_id<br /> for the DTB. The fact that we&amp;#39;re leaving it "running" forever becomes<br /> obvious if you try to reuse (or just access) the memory region used by the<br /> "lite" firmware: The &amp;adsp_boot_mem is accessible, but accessing the<br /> &amp;adsp_boot_dtb_mem results in a crash.<br /> <br /> We don&amp;#39;t support reusing the memory regions currently, but nevertheless we<br /> should not keep part of the lite firmware running. Fix this by adding the<br /> lite_dtb_pas_id and shutting it down as well.<br /> <br /> We don&amp;#39;t have a way to detect if the lite firmware is actually running yet,<br /> so ignore the return status of qcom_scm_pas_shutdown() for now. This was<br /> already the case before, the assignment to "ret" is not used anywhere.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()<br /> <br /> During mpt3sas_transport_port_remove(), messages were logged with<br /> dev_printk() against &amp;mpt3sas_port-&gt;port-&gt;dev. At this point the SAS<br /> transport device may already be partially unregistered or freed, leading<br /> to a crash when accessing its struct device.<br /> <br /> Using ioc_info(), which logs via the PCI device (ioc-&gt;pdev-&gt;dev),<br /> guaranteed to remain valid until driver removal.<br /> <br /> [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI<br /> [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)<br /> [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024<br /> [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70<br /> [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff<br /> [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206<br /> [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32<br /> [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845<br /> [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8<br /> [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000<br /> [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30<br /> [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000<br /> [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0<br /> [83428.295844] PKRU: 55555554<br /> [83428.295846] Call Trace:<br /> [83428.295848] <br /> [83428.295850] _dev_printk+0x5c/0x80<br /> [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]<br /> [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]<br /> [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]<br /> [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]<br /> [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]<br /> [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]<br /> [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]<br /> [83428.295957] pci_device_remove+0x3b/0xb0<br /> [83428.295962] device_release_driver_internal+0x193/0x200<br /> [83428.295968] driver_detach+0x44/0x90<br /> [83428.295971] bus_remove_driver+0x69/0xf0<br /> [83428.295975] pci_unregister_driver+0x2a/0xb0<br /> [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]<br /> [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310<br /> [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [83428.296000] ? __x64_sys_getdents64+0x9a/0x110<br /> [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [83428.296009] ? syscall_trace_enter+0xf6/0x1b0<br /> [83428.296014] do_syscall_64+0x7b/0x2c0<br /> [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup<br /> <br /> The kthread_run() function returns error pointers so the<br /> max3421_hcd-&gt;spi_thread pointer can be either error pointers or NULL.<br /> Check for both before dereferencing it.

*** Pendiente de traducción *** The Specific Content For Mobile – Customize the mobile version without redirections plugin for WordPress is vulnerable to SQL Injection via the eos_scfm_duplicate_post_as_draft() function in all versions up to, and including, 0.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with COntributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

*** Pendiente de traducción *** Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links <br /> to be loaded without prompt. Such links could also be used to transmit system information, such as environment variables or configuration settings.<br /> <br /> In the affected versions of Apache OpenOffice, documents that used a certain URI scheme linking to external files would <br /> load the contents of such files without prompting the user for <br /> permission to do so. Such URI scheme allows to include system configuration data, that is not supposed to be transmitted externally.<br /> <br /> This issue affects Apache OpenOffice: through 4.1.15.<br /> <br /> Users are recommended to upgrade to version 4.1.16, which fixes the issue.<br /> <br /> <br /> <br /> <br /> <br /> The LibreOffice suite reported this issue as CVE-2024-12426.

*** Pendiente de traducción *** Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

*** Pendiente de traducción *** Reflected cross-site scripting vulnerability in Apache OFBiz.<br /> <br /> This issue affects Apache OFBiz: before 24.09.03.<br /> <br /> Users are recommended to upgrade to version 24.09.03, which fixes the issue.

*** Pendiente de traducción *** Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.<br /> <br /> This issue affects Apache OFBiz: before 24.09.03.<br /> <br /> Users are recommended to upgrade to version 24.09.03, which fixes the issue.