Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/vm: Clear the scratch_pt pointer on error<br /> <br /> Avoid triggering a dereference of an error pointer on cleanup in<br /> xe_vm_free_scratch() by clearing any scratch_pt error pointer.<br /> <br /> (cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: initialize more fields in sctp_v6_from_sk()<br /> <br /> syzbot found that sin6_scope_id was not properly initialized,<br /> leading to undefined behavior.<br /> <br /> Clear sin6_scope_id and sin6_flowinfo.<br /> <br /> BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649<br /> __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649<br /> sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983<br /> sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390<br /> sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452<br /> sctp_get_port net/sctp/socket.c:8523 [inline]<br /> sctp_listen_start net/sctp/socket.c:8567 [inline]<br /> sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636<br /> __sys_listen_socket net/socket.c:1912 [inline]<br /> __sys_listen net/socket.c:1927 [inline]<br /> __do_sys_listen net/socket.c:1932 [inline]<br /> __se_sys_listen net/socket.c:1930 [inline]<br /> __x64_sys_listen+0x343/0x4c0 net/socket.c:1930<br /> x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Local variable addr.i.i created at:<br /> sctp_get_port net/sctp/socket.c:8515 [inline]<br /> sctp_listen_start net/sctp/socket.c:8567 [inline]<br /> sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636<br /> __sys_listen_socket net/socket.c:1912 [inline]<br /> __sys_listen net/socket.c:1927 [inline]<br /> __do_sys_listen net/socket.c:1932 [inline]<br /> __se_sys_listen net/socket.c:1930 [inline]<br /> __x64_sys_listen+0x343/0x4c0 net/socket.c:1930

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix memory corruption when FW resources change during ifdown<br /> <br /> bnxt_set_dflt_rings() assumes that it is always called before any TC has<br /> been created. So it doesn&amp;#39;t take bp-&gt;num_tc into account and assumes<br /> that it is always 0 or 1.<br /> <br /> In the FW resource or capability change scenario, the FW will return<br /> flags in bnxt_hwrm_if_change() that will cause the driver to<br /> reinitialize and call bnxt_cancel_reservations(). This will lead to<br /> bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp-&gt;num_tc<br /> may be greater than 1. This will cause bp-&gt;tx_ring[] to be sized too<br /> small and cause memory corruption in bnxt_alloc_cp_rings().<br /> <br /> Fix it by properly scaling the TX rings by bp-&gt;num_tc in the code<br /> paths mentioned above. Add 2 helper functions to determine<br /> bp-&gt;tx_nr_rings and bp-&gt;tx_nr_rings_per_tc.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length<br /> <br /> The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a<br /> trailing byte, making the actual length is one more byte than the<br /> structs defined.<br /> <br /> It caused stack-out-of-bounds and kernel crash:<br /> <br /> kernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75<br /> kernel:<br /> kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary)<br /> kernel: Workqueue: async async_run_entry_fn<br /> kernel: Call Trace:<br /> kernel: <br /> kernel: dump_stack_lvl+0x76/0xa0<br /> kernel: print_report+0xd1/0x660<br /> kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> kernel: ? __kasan_slab_free+0x5d/0x80<br /> kernel: ? kasan_addr_to_slab+0xd/0xb0<br /> kernel: kasan_report+0xe1/0x120<br /> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: kasan_check_range+0x11c/0x200<br /> kernel: __asan_memcpy+0x3b/0x80<br /> kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c]<br /> kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c]<br /> [...]<br /> kernel: <br /> kernel:<br /> kernel: The buggy address belongs to stack of task kworker/u33:2/75<br /> kernel: and is located at offset 48 in frame:<br /> kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]<br /> kernel:<br /> kernel: This frame has 3 objects:<br /> kernel: [32, 36) &amp;#39;hid_desc_addr&amp;#39;<br /> kernel: [48, 59) &amp;#39;i2c_param&amp;#39;<br /> kernel: [80, 224) &amp;#39;i2c_config&amp;#39;<br /> <br /> ACPI DSD methods return:<br /> <br /> \_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00<br /> \_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00<br /> <br /> Adding reserved padding to quicki2c_subip_acpi_parameter/config.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()<br /> <br /> in ntrig_report_version(), hdev parameter passed from hid_probe().<br /> sending descriptor to /dev/uhid can make hdev-&gt;dev.parent-&gt;parent to null<br /> if hdev-&gt;dev.parent-&gt;parent is null, usb_dev has<br /> invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned<br /> when usb_rcvctrlpipe() use usb_dev,it trigger<br /> page fault error for address(0xffffffffffffff58)<br /> <br /> add null check logic to ntrig_report_version()<br /> before calling hid_to_usb_dev()

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mediatek: Add error handling for old state CRTC in atomic_disable<br /> <br /> Introduce error handling to address an issue where, after a hotplug<br /> event, the cursor continues to update. This situation can lead to a<br /> kernel panic due to accessing the NULL `old_state-&gt;crtc`.<br /> <br /> E,g.<br /> Unable to handle kernel NULL pointer dereference at virtual address<br /> Call trace:<br /> mtk_crtc_plane_disable+0x24/0x140<br /> mtk_plane_atomic_update+0x8c/0xa8<br /> drm_atomic_helper_commit_planes+0x114/0x2c8<br /> drm_atomic_helper_commit_tail_rpm+0x4c/0x158<br /> commit_tail+0xa0/0x168<br /> drm_atomic_helper_commit+0x110/0x120<br /> drm_atomic_commit+0x8c/0xe0<br /> drm_atomic_helper_update_plane+0xd4/0x128<br /> __setplane_atomic+0xcc/0x110<br /> drm_mode_cursor_common+0x250/0x440<br /> drm_mode_cursor_ioctl+0x44/0x70<br /> drm_ioctl+0x264/0x5d8<br /> __arm64_sys_ioctl+0xd8/0x510<br /> invoke_syscall+0x6c/0xe0<br /> do_el0_svc+0x68/0xe8<br /> el0_svc+0x34/0x60<br /> el0t_64_sync_handler+0x1c/0xf8<br /> el0t_64_sync+0x180/0x188<br /> <br /> Adding NULL pointer checks to ensure stability by preventing operations<br /> on an invalid CRTC state.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()<br /> <br /> A malicious HID device can trigger a slab out-of-bounds during<br /> mt_report_fixup() by passing in report descriptor smaller than<br /> 607 bytes. mt_report_fixup() attempts to patch byte offset 607<br /> of the descriptor with 0x25 by first checking if byte offset<br /> 607 is 0x15 however it lacks bounds checks to verify if the<br /> descriptor is big enough before conducting this check. Fix<br /> this bug by ensuring the descriptor size is at least 608<br /> bytes before accessing it.<br /> <br /> Below is the KASAN splat after the out of bounds access happens:<br /> <br /> [ 13.671954] ==================================================================<br /> [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110<br /> [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10<br /> [ 13.673297]<br /> [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3<br /> [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04<br /> [ 13.673297] Call Trace:<br /> [ 13.673297] <br /> [ 13.673297] dump_stack_lvl+0x5f/0x80<br /> [ 13.673297] print_report+0xd1/0x660<br /> [ 13.673297] kasan_report+0xe5/0x120<br /> [ 13.673297] __asan_report_load1_noabort+0x18/0x20<br /> [ 13.673297] mt_report_fixup+0x103/0x110<br /> [ 13.673297] hid_open_report+0x1ef/0x810<br /> [ 13.673297] mt_probe+0x422/0x960<br /> [ 13.673297] hid_device_probe+0x2e2/0x6f0<br /> [ 13.673297] really_probe+0x1c6/0x6b0<br /> [ 13.673297] __driver_probe_device+0x24f/0x310<br /> [ 13.673297] driver_probe_device+0x4e/0x220<br /> [ 13.673297] __device_attach_driver+0x169/0x320<br /> [ 13.673297] bus_for_each_drv+0x11d/0x1b0<br /> [ 13.673297] __device_attach+0x1b8/0x3e0<br /> [ 13.673297] device_initial_probe+0x12/0x20<br /> [ 13.673297] bus_probe_device+0x13d/0x180<br /> [ 13.673297] device_add+0xe3a/0x1670<br /> [ 13.673297] hid_add_device+0x31d/0xa40<br /> [...]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: macb: fix unregister_netdev call order in macb_remove()<br /> <br /> When removing a macb device, the driver calls phy_exit() before<br /> unregister_netdev(). This leads to a WARN from kernfs:<br /> <br /> ------------[ cut here ]------------<br /> kernfs: can not remove &amp;#39;attached_dev&amp;#39;, no directory<br /> WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683<br /> Call trace:<br /> kernfs_remove_by_name_ns+0xd8/0xf0<br /> sysfs_remove_link+0x24/0x58<br /> phy_detach+0x5c/0x168<br /> phy_disconnect+0x4c/0x70<br /> phylink_disconnect_phy+0x6c/0xc0 [phylink]<br /> macb_close+0x6c/0x170 [macb]<br /> ...<br /> macb_remove+0x60/0x168 [macb]<br /> platform_remove+0x5c/0x80<br /> ...<br /> <br /> The warning happens because the PHY is being exited while the netdev<br /> is still registered. The correct order is to unregister the netdev<br /> before shutting down the PHY and cleaning up the MDIO bus.<br /> <br /> Fix this by moving unregister_netdev() ahead of phy_exit() in<br /> macb_remove().

*** Pendiente de traducción *** This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface (CGI) parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected Cross-Site Scripting (XSS) attack on the targeted system.

*** Pendiente de traducción *** Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

*** Pendiente de traducción *** Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.

*** Pendiente de traducción *** Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143.