Vulnerabilidades

*** Pendiente de traducción *** An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.

*** Pendiente de traducción *** The MCP SSE endpoint in oatpp-mcp returns an instance pointer as the session ID, which is not unique nor cryptographically secure. This allows network attackers with access to the oatpp-mcp server to guess future session IDs and hijack legitimate client MCP sessions, returning malicious responses from the oatpp-mcp server.

*** Pendiente de traducción *** Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects . <br /> <br /> All firmware versions with the Serial Number from 2000 to 5166

*** Pendiente de traducción *** ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attacker can execute arbitrary PHP code. This allows an attacker to achieve RCE. This issue has been resolved in version 5.5.2 #147.

*** Pendiente de traducción *** Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with root privileges. NOTE: this is disputed by the Supplier because of "certain restrictions on users privately connecting serial port cables" and because "the root user has a password and it meets the requirements of password security complexity."

*** Pendiente de traducción *** In Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000, there is an improper access control vulnerability related to a log file.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: qcom: audioreach: fix potential null pointer dereference<br /> <br /> It is possible that the topology parsing function<br /> audioreach_widget_load_module_common() could return NULL or an error<br /> pointer. Add missing NULL check so that we do not dereference it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: stm32-csi: Fix dereference before NULL check<br /> <br /> In &amp;#39;stm32_csi_start&amp;#39;, &amp;#39;csidev-&gt;s_subdev&amp;#39; is dereferenced directly while<br /> assigning a value to the &amp;#39;src_pad&amp;#39;. However the same value is being<br /> checked against NULL at a later point of time indicating that there<br /> are chances that the value can be NULL.<br /> <br /> Move the dereference after the NULL check.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID<br /> <br /> Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero<br /> unique ID.<br /> <br /> ```<br /> Each Unit and Terminal within the video function is assigned a unique<br /> identification number, the Unit ID (UID) or Terminal ID (TID), contained in<br /> the bUnitID or bTerminalID field of the descriptor. The value 0x00 is<br /> reserved for undefined ID,<br /> ```<br /> <br /> If we add a new entity with id 0 or a duplicated ID, it will be marked<br /> as UVC_INVALID_ENTITY_ID.<br /> <br /> In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require<br /> entities to have a non-zero unique ID"), we ignored all the invalid units,<br /> this broke a lot of non-compatible cameras. Hopefully we are more lucky<br /> this time.<br /> <br /> This also prevents some syzkaller reproducers from triggering warnings due<br /> to a chain of entities referring to themselves. In one particular case, an<br /> Output Unit is connected to an Input Unit, both with the same ID of 1. But<br /> when looking up for the source ID of the Output Unit, that same entity is<br /> found instead of the input entity, which leads to such warnings.<br /> <br /> In another case, a backward chain was considered finished as the source ID<br /> was 0. Later on, that entity was found, but its pads were not valid.<br /> <br /> Here is a sample stack trace for one of those cases.<br /> <br /> [ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd<br /> [ 20.830206] usb 1-1: Using ep0 maxpacket: 8<br /> [ 20.833501] usb 1-1: config 0 descriptor??<br /> [ 21.038518] usb 1-1: string descriptor 0 read error: -71<br /> [ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201)<br /> [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!<br /> [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!<br /> [ 21.042218] ------------[ cut here ]------------<br /> [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0<br /> [ 21.043195] Modules linked in:<br /> [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444<br /> [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br /> [ 21.044639] Workqueue: usb_hub_wq hub_event<br /> [ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0<br /> [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00<br /> [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246<br /> [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1<br /> [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290<br /> [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000<br /> [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003<br /> [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000<br /> [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000<br /> [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0<br /> [ 21.051136] PKRU: 55555554<br /> [ 21.051331] Call Trace:<br /> [ 21.051480] <br /> [ 21.051611] ? __warn+0xc4/0x210<br /> [ 21.051861] ? media_create_pad_link+0x2c4/0x2e0<br /> [ 21.052252] ? report_bug+0x11b/0x1a0<br /> [ 21.052540] ? trace_hardirqs_on+0x31/0x40<br /> [ 21.052901] ? handle_bug+0x3d/0x70<br /> [ 21.053197] ? exc_invalid_op+0x1a/0x50<br /> [ 21.053511] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 21.053924] ? media_create_pad_link+0x91/0x2e0<br /> [ 21.054364] ? media_create_pad_link+0x2c4/0x2e0<br /> [ 21.054834] ? media_create_pad_link+0x91/0x2e0<br /> [ 21.055131] ? _raw_spin_unlock+0x1e/0x40<br /> [ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210<br /> [ 21.055837] uvc_mc_register_entities+0x358/0x400<br /> [ 21.056144] uvc_register_chains+0x1<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: iris: Fix memory leak by freeing untracked persist buffer<br /> <br /> One internal buffer which is allocated only once per session was not<br /> being freed during session close because it was not being tracked as<br /> part of internal buffer list which resulted in a memory leak.<br /> <br /> Add the necessary logic to explicitly free the untracked internal buffer<br /> during session close to ensure all allocated memory is released<br /> properly.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix folio is still mapped when deleted<br /> <br /> Migration may be raced with fallocating hole. remove_inode_single_folio<br /> will unmap the folio if the folio is still mapped. However, it&amp;#39;s called<br /> without folio lock. If the folio is migrated and the mapped pte has been<br /> converted to migration entry, folio_mapped() returns false, and won&amp;#39;t<br /> unmap it. Due to extra refcount held by remove_inode_single_folio,<br /> migration fails, restores migration entry to normal pte, and the folio is<br /> mapped again. As a result, we triggered BUG in filemap_unaccount_folio.<br /> <br /> The log is as follows:<br /> BUG: Bad page cache in process hugetlb pfn:156c00<br /> page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00<br /> head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0<br /> aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file"<br /> flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)<br /> page_type: f4(hugetlb)<br /> page dumped because: still mapped when deleted<br /> CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE<br /> Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x4f/0x70<br /> filemap_unaccount_folio+0xc4/0x1c0<br /> __filemap_remove_folio+0x38/0x1c0<br /> filemap_remove_folio+0x41/0xd0<br /> remove_inode_hugepages+0x142/0x250<br /> hugetlbfs_fallocate+0x471/0x5a0<br /> vfs_fallocate+0x149/0x380<br /> <br /> Hold folio lock before checking if the folio is mapped to avold race with<br /> migration.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: fix reference leak<br /> <br /> Commit 20d72b00ca81 ("netfs: Fix the request&amp;#39;s work item to not<br /> require a ref") modified netfs_alloc_request() to initialize the<br /> reference counter to 2 instead of 1. The rationale was that the<br /> requet&amp;#39;s "work" would release the second reference after completion<br /> (via netfs_{read,write}_collection_worker()). That works most of the<br /> time if all goes well.<br /> <br /> However, it leaks this additional reference if the request is released<br /> before the I/O operation has been submitted: the error code path only<br /> decrements the reference counter once and the work item will never be<br /> queued because there will never be a completion.<br /> <br /> This has caused outages of our whole server cluster today because<br /> tasks were blocked in netfs_wait_for_outstanding_io(), leading to<br /> deadlocks in Ceph (another bug that I will address soon in another<br /> patch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call<br /> which failed in fscache_begin_write_operation(). The leaked<br /> netfs_io_request was never completed, leaving `netfs_inode.io_count`<br /> with a positive value forever.<br /> <br /> All of this is super-fragile code. Finding out which code paths will<br /> lead to an eventual completion and which do not is hard to see:<br /> <br /> - Some functions like netfs_create_write_req() allocate a request, but<br /> will never submit any I/O.<br /> <br /> - netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read()<br /> and then netfs_put_request(); however, netfs_unbuffered_read() can<br /> also fail early before submitting the I/O request, therefore another<br /> netfs_put_request() call must be added there.<br /> <br /> A rule of thumb is that functions that return a `netfs_io_request` do<br /> not submit I/O, and all of their callers must be checked.<br /> <br /> For my taste, the whole netfs code needs an overhaul to make reference<br /> counting easier to understand and less fragile &amp; obscure. But to fix<br /> this bug here and now and produce a patch that is adequate for a<br /> stable backport, I tried a minimal approach that quickly frees the<br /> request object upon early failure.<br /> <br /> I decided against adding a second netfs_put_request() each time<br /> because that would cause code duplication which obscures the code<br /> further. Instead, I added the function netfs_put_failed_request()<br /> which frees such a failed request synchronously under the assumption<br /> that the reference count is exactly 2 (as initially set by<br /> netfs_alloc_request() and never touched), verified by a<br /> WARN_ON_ONCE(). It then deinitializes the request object (without<br /> going through the "cleanup_work" indirection) and frees the allocation<br /> (with RCU protection to protect against concurrent access by<br /> netfs_requests_seq_start()).<br /> <br /> All code paths that fail early have been changed to call<br /> netfs_put_failed_request() instead of netfs_put_request().<br /> Additionally, I have added a netfs_put_request() call to<br /> netfs_unbuffered_read() as explained above because the<br /> netfs_put_failed_request() approach does not work there.