Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Address thermal zone removal races with resume<br /> <br /> Since thermal_zone_pm_complete() and thermal_zone_device_resume()<br /> re-initialize the poll_queue delayed work for the given thermal zone,<br /> the cancel_delayed_work_sync() in thermal_zone_device_unregister()<br /> may miss some already running work items and the thermal zone may<br /> be freed prematurely [1].<br /> <br /> There are two failing scenarios that both start with<br /> running thermal_pm_notify_complete() right before invoking<br /> thermal_zone_device_unregister() for one of the thermal zones.<br /> <br /> In the first scenario, there is a work item already running for<br /> the given thermal zone when thermal_pm_notify_complete() calls<br /> thermal_zone_pm_complete() for that thermal zone and it continues to<br /> run when thermal_zone_device_unregister() starts. Since the poll_queue<br /> delayed work has been re-initialized by thermal_pm_notify_complete(), the<br /> running work item will be missed by the cancel_delayed_work_sync() in<br /> thermal_zone_device_unregister() and if it continues to run past the<br /> freeing of the thermal zone object, a use-after-free will occur.<br /> <br /> In the second scenario, thermal_zone_device_resume() queued up by<br /> thermal_pm_notify_complete() runs right after the thermal_zone_exit()<br /> called by thermal_zone_device_unregister() has returned. The poll_queue<br /> delayed work is re-initialized by it before cancel_delayed_work_sync() is<br /> called by thermal_zone_device_unregister(), so it may continue to run<br /> after the freeing of the thermal zone object, which also leads to a<br /> use-after-free.<br /> <br /> Address the first failing scenario by ensuring that no thermal work<br /> items will be running when thermal_pm_notify_complete() is called.<br /> For this purpose, first move the cancel_delayed_work() call from<br /> thermal_zone_pm_complete() to thermal_zone_pm_prepare() to prevent<br /> new work from entering the workqueue going forward. Next, switch<br /> over to using a dedicated workqueue for thermal events and update<br /> the code in thermal_pm_notify() to flush that workqueue after<br /> thermal_pm_notify_prepare() has returned which will take care of<br /> all leftover thermal work already on the workqueue (that leftover<br /> work would do nothing useful anyway because all of the thermal zones<br /> have been flagged as suspended).<br /> <br /> The second failing scenario is addressed by adding a tz-&gt;state check<br /> to thermal_zone_device_resume() to prevent it from re-initializing<br /> the poll_queue delayed work if the thermal zone is going away.<br /> <br /> Note that the above changes will also facilitate relocating the suspend<br /> and resume of thermal zones closer to the suspend and resume of devices,<br /> respectively.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_rndis: Fix net_device lifecycle with device_move<br /> <br /> The net_device is allocated during function instance creation and<br /> registered during the bind phase with the gadget device as its sysfs<br /> parent. When the function unbinds, the parent device is destroyed, but<br /> the net_device survives, resulting in dangling sysfs symlinks:<br /> <br /> console:/ # ls -l /sys/class/net/usb0<br /> lrwxrwxrwx ... /sys/class/net/usb0 -&gt;<br /> /sys/devices/platform/.../gadget.0/net/usb0<br /> console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0<br /> ls: .../gadget.0/net/usb0: No such file or directory<br /> <br /> Use device_move() to reparent the net_device between the gadget device<br /> tree and /sys/devices/virtual across bind and unbind cycles. During the<br /> final unbind, calling device_move(NULL) moves the net_device to the<br /> virtual device tree before the gadget device is destroyed. On rebinding,<br /> device_move() reparents the device back under the new gadget, ensuring<br /> proper sysfs topology and power management ordering.<br /> <br /> To maintain compatibility with legacy composite drivers (e.g., multi.c),<br /> the borrowed_net flag is used to indicate whether the network device is<br /> shared and pre-registered during the legacy driver&amp;#39;s bind phase.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_hid: move list and spinlock inits from bind to alloc<br /> <br /> There was an issue when you did the following:<br /> - setup and bind an hid gadget<br /> - open /dev/hidg0<br /> - use the resulting fd in EPOLL_CTL_ADD<br /> - unbind the UDC<br /> - bind the UDC<br /> - use the fd in EPOLL_CTL_DEL<br /> <br /> When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported<br /> within remove_wait_queue (via ep_remove_wait_queue). After some<br /> debugging I found out that the queues, which f_hid registers via<br /> poll_wait were the problem. These were initialized using<br /> init_waitqueue_head inside hidg_bind. So effectively, the bind function<br /> re-initialized the queues while there were still items in them.<br /> <br /> The solution is to move the initialization from hidg_bind to hidg_alloc<br /> to extend their lifetimes to the lifetime of the function instance.<br /> <br /> Additionally, I found many other possibly problematic init calls in the<br /> bind function, which I moved as well.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_uac1_legacy: validate control request size<br /> <br /> f_audio_complete() copies req-&gt;length bytes into a 4-byte stack<br /> variable:<br /> <br /> u32 data = 0;<br /> memcpy(&amp;data, req-&gt;buf, req-&gt;length);<br /> <br /> req-&gt;length is derived from the host-controlled USB request path,<br /> which can lead to a stack out-of-bounds write.<br /> <br /> Validate req-&gt;actual against the expected payload size for the<br /> supported control selectors and decode only the expected amount<br /> of data.<br /> <br /> This avoids copying a host-influenced length into a fixed-size<br /> stack object.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_ecm: Fix net_device lifecycle with device_move<br /> <br /> The net_device is allocated during function instance creation and<br /> registered during the bind phase with the gadget device as its sysfs<br /> parent. When the function unbinds, the parent device is destroyed, but<br /> the net_device survives, resulting in dangling sysfs symlinks:<br /> <br /> console:/ # ls -l /sys/class/net/usb0<br /> lrwxrwxrwx ... /sys/class/net/usb0 -&gt;<br /> /sys/devices/platform/.../gadget.0/net/usb0<br /> console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0<br /> ls: .../gadget.0/net/usb0: No such file or directory<br /> <br /> Use device_move() to reparent the net_device between the gadget device<br /> tree and /sys/devices/virtual across bind and unbind cycles. During the<br /> final unbind, calling device_move(NULL) moves the net_device to the<br /> virtual device tree before the gadget device is destroyed. On rebinding,<br /> device_move() reparents the device back under the new gadget, ensuring<br /> proper sysfs topology and power management ordering.<br /> <br /> To maintain compatibility with legacy composite drivers (e.g., multi.c),<br /> the bound flag is used to indicate whether the network device is shared<br /> and pre-registered during the legacy driver&amp;#39;s bind phase.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_eem: Fix net_device lifecycle with device_move<br /> <br /> The net_device is allocated during function instance creation and<br /> registered during the bind phase with the gadget device as its sysfs<br /> parent. When the function unbinds, the parent device is destroyed, but<br /> the net_device survives, resulting in dangling sysfs symlinks:<br /> <br /> console:/ # ls -l /sys/class/net/usb0<br /> lrwxrwxrwx ... /sys/class/net/usb0 -&gt;<br /> /sys/devices/platform/.../gadget.0/net/usb0<br /> console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0<br /> ls: .../gadget.0/net/usb0: No such file or directory<br /> <br /> Use device_move() to reparent the net_device between the gadget device<br /> tree and /sys/devices/virtual across bind and unbind cycles. During the<br /> final unbind, calling device_move(NULL) moves the net_device to the<br /> virtual device tree before the gadget device is destroyed. On rebinding,<br /> device_move() reparents the device back under the new gadget, ensuring<br /> proper sysfs topology and power management ordering.<br /> <br /> To maintain compatibility with legacy composite drivers (e.g., multi.c),<br /> the bound flag is used to indicate whether the network device is shared<br /> and pre-registered during the legacy driver&amp;#39;s bind phase.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_subset: Fix net_device lifecycle with device_move<br /> <br /> The net_device is allocated during function instance creation and<br /> registered during the bind phase with the gadget device as its sysfs<br /> parent. When the function unbinds, the parent device is destroyed, but<br /> the net_device survives, resulting in dangling sysfs symlinks:<br /> <br /> console:/ # ls -l /sys/class/net/usb0<br /> lrwxrwxrwx ... /sys/class/net/usb0 -&gt;<br /> /sys/devices/platform/.../gadget.0/net/usb0<br /> console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0<br /> ls: .../gadget.0/net/usb0: No such file or directory<br /> <br /> Use device_move() to reparent the net_device between the gadget device<br /> tree and /sys/devices/virtual across bind and unbind cycles. During the<br /> final unbind, calling device_move(NULL) moves the net_device to the<br /> virtual device tree before the gadget device is destroyed. On rebinding,<br /> device_move() reparents the device back under the new gadget, ensuring<br /> proper sysfs topology and power management ordering.<br /> <br /> To maintain compatibility with legacy composite drivers (e.g., multi.c),<br /> the bound flag is used to indicate whether the network device is shared<br /> and pre-registered during the legacy driver&amp;#39;s bind phase.

*** Pendiente de traducción *** A vulnerability was detected in AcademySoftwareFoundation OpenImageIO up to 3.2.0.1-dev. This vulnerability affects unknown code of the file src/dds.imageio/ddsinput.cpp of the component DDS Image Handler. The manipulation results in out-of-bounds write. The attack needs to be approached locally. The exploit is now public and may be used. The patch is identified as 94ec2deec3e3bf2f2e2ff84d008e27425d626fe2. Applying a patch is advised to resolve this issue.

*** Pendiente de traducción *** The Total Upkeep – WordPress Backup Plugin plus Restore &amp; Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &amp;#39;wp_ajax_cli_cancel&amp;#39; function in all versions up to, and including, 1.17.1. This makes it possible for unauthenticated attackers to cancel a pending rollback, potentially preventing a WordPress installation from automatically reverting a failed update.

*** Pendiente de traducción *** A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_hash_decode in multiple Kerberos-related modules because account_info_len is calculated from untrusted delimiter positions without upper-bound validation before memcpy copies the data into a fixed-size account_info buffer.

*** Pendiente de traducción *** A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.

*** Pendiente de traducción *** A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum