Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> brcmfmac: return error when getting invalid max_flowrings from dongle<br /> <br /> When firmware hit trap at initialization, host will read abnormal<br /> max_flowrings number from dongle, and it will cause kernel panic when<br /> doing iowrite to initialize dongle ring.<br /> To detect this error at early stage, we directly return error when getting<br /> invalid max_flowrings(&gt;256).

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: cx88: Fix a null-ptr-deref bug in buffer_prepare()<br /> <br /> When the driver calls cx88_risc_buffer() to prepare the buffer, the<br /> function call may fail, resulting in a empty buffer and null-ptr-deref<br /> later in buffer_queue().<br /> <br /> The following log can reveal it:<br /> <br /> [ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI<br /> [ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> [ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500<br /> [ 41.836311] Call Trace:<br /> [ 41.836945] __enqueue_in_driver+0x141/0x360<br /> [ 41.837262] vb2_start_streaming+0x62/0x4a0<br /> [ 41.838216] vb2_core_streamon+0x1da/0x2c0<br /> [ 41.838516] __vb2_init_fileio+0x981/0xbc0<br /> [ 41.839141] __vb2_perform_fileio+0xbf9/0x1120<br /> [ 41.840072] vb2_fop_read+0x20e/0x400<br /> [ 41.840346] v4l2_read+0x215/0x290<br /> [ 41.840603] vfs_read+0x162/0x4c0<br /> <br /> Fix this by checking the return value of cx88_risc_buffer()<br /> <br /> [hverkuil: fix coding style issues]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dp: fix aux-bus EP lifetime<br /> <br /> Device-managed resources allocated post component bind must be tied to<br /> the lifetime of the aggregate DRM device or they will not necessarily be<br /> released when binding of the aggregate device is deferred.<br /> <br /> This can lead resource leaks or failure to bind the aggregate device<br /> when binding is later retried and a second attempt to allocate the<br /> resources is made.<br /> <br /> For the DP aux-bus, an attempt to populate the bus a second time will<br /> simply fail ("DP AUX EP device already populated").<br /> <br /> Fix this by tying the lifetime of the EP device to the DRM device rather<br /> than DP controller platform device.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/502672/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wilc1000: add missing unregister_netdev() in wilc_netdev_ifc_init()<br /> <br /> Fault injection test reports this issue:<br /> <br /> kernel BUG at net/core/dev.c:10731!<br /> invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> Call Trace:<br /> <br /> wilc_netdev_ifc_init+0x19f/0x220 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]<br /> wilc_cfg80211_init+0x30c/0x380 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]<br /> wilc_bus_probe+0xad/0x2b0 [wilc1000_spi 1520a7539b6589cc6cde2ae826a523a33f8bacff]<br /> spi_probe+0xe4/0x140<br /> really_probe+0x17e/0x3f0<br /> __driver_probe_device+0xe3/0x170<br /> driver_probe_device+0x49/0x120<br /> <br /> The root case here is alloc_ordered_workqueue() fails, but<br /> cfg80211_unregister_netdevice() or unregister_netdev() not be called in<br /> error handling path. To fix add unregister_netdev goto lable to add the<br /> unregister operation in error handling path.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: hisilicon: Add multi-thread support for a DMA channel<br /> <br /> When we get a DMA channel and try to use it in multiple threads it<br /> will cause oops and hanging the system.<br /> <br /> % echo 100 &gt; /sys/module/dmatest/parameters/threads_per_chan<br /> % echo 100 &gt; /sys/module/dmatest/parameters/iterations<br /> % echo 1 &gt; /sys/module/dmatest/parameters/run<br /> [383493.327077] Unable to handle kernel paging request at virtual<br /> address dead000000000108<br /> [383493.335103] Mem abort info:<br /> [383493.335103] ESR = 0x96000044<br /> [383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [383493.335107] SET = 0, FnV = 0<br /> [383493.335108] EA = 0, S1PTW = 0<br /> [383493.335109] FSC = 0x04: level 0 translation fault<br /> [383493.335110] Data abort info:<br /> [383493.335111] ISV = 0, ISS = 0x00000044<br /> [383493.364739] CM = 0, WnR = 1<br /> [383493.367793] [dead000000000108] address between user and kernel<br /> address ranges<br /> [383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP<br /> [383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:<br /> loaded Tainted: GO 5.17.0-rc4+ #2<br /> [383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT<br /> -SSBS BTYPE=--)<br /> [383493.465331] pc : vchan_tx_submit+0x64/0xa0<br /> [383493.469957] lr : vchan_tx_submit+0x34/0xa0<br /> <br /> This occurs because the transmission timed out, and that&amp;#39;s due<br /> to data race. Each thread rewrite channels&amp;#39;s descriptor as soon as<br /> device_issue_pending is called. It leads to the situation that<br /> the driver thinks that it uses the right descriptor in interrupt<br /> handler while channels&amp;#39;s descriptor has been changed by other<br /> thread. The descriptor which in fact reported interrupt will not<br /> be handled any more, as well as its tx-&gt;callback.<br /> That&amp;#39;s why timeout reports.<br /> <br /> With current fixes channels&amp;#39; descriptor changes it&amp;#39;s value only<br /> when it has been used. A new descriptor is acquired from<br /> vc-&gt;desc_issued queue that is already filled with descriptors<br /> that are ready to be sent. Threads have no direct access to DMA<br /> channel descriptor. In case of channel&amp;#39;s descriptor is busy, try<br /> to submit to HW again when a descriptor is completed. In this case,<br /> vc-&gt;desc_issued may be empty when hisi_dma_start_transfer is called,<br /> so delete error reporting on this. Now it is just possible to queue<br /> a descriptor for further processing.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: wmt-sdmmc: fix return value check of mmc_add_host()<br /> <br /> mmc_add_host() may return error, if we ignore its return value, the memory<br /> that allocated in mmc_alloc_host() will be leaked and it will lead a kernel<br /> crash because of deleting not added device in the remove path.<br /> <br /> So fix this by checking the return value and goto error path which will call<br /> mmc_free_host(), besides, clk_disable_unprepare() also needs be called.

Jenkins 2.527 y anteriores, LTS 2.516.2 y anteriores no realiza una verificación de permisos para el menú desplegable del perfil de usuario autenticado, permitiendo a los atacantes sin permiso de Overall/Read obtener información limitada sobre la configuración de Jenkins al listar las opciones disponibles en este menú (p. ej., si el Credentials plugin está instalado).

Jenkins 2.527 y anteriores, LTS 2.516.2 y anteriores no restringe ni transforma los caracteres que pueden insertarse desde contenido especificado por el usuario en mensajes de registro, permitiendo a los atacantes capaces de controlar el contenido de los mensajes de registro insertar caracteres de salto de línea, seguidos de mensajes de registro falsificados que pueden inducir a error a los administradores que revisan la salida del registro.

Jenkins 2.527 y anteriores, LTS 2.516.2 y anteriores no realiza una verificación de permisos en el panel lateral de una página intencionalmente accesible para usuarios que carecen del permiso General/Lectura, permitiendo a atacantes sin el permiso General/Lectura listar nombres de agentes a través de su widget de ejecutores del panel lateral.

Open5GS v2.7.5, anterior al commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, es vulnerable a una desreferenciación de puntero NULL cuando se envía una solicitud HTTP POST multipart/related con un cuerpo HTTP vacío al SBI de AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM o UDR, lo que resulta en una denegación de servicio. Esto ocurre en la función parse_multipart en lib/sbi/message.c.

*** Pendiente de traducción *** An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter

*** Pendiente de traducción *** A vulnerability was detected in SourceCodester Online Student File Management System 1.0. Affected is an unknown function of the file /admin/update_student.php. Performing manipulation of the argument stud_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.