Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmem: core: limit cell sysfs permissions to main attribute ones<br /> <br /> The cell sysfs attribute should not provide more access to the nvmem<br /> data than the main attribute itself.<br /> For example if nvme_config::root_only was set, the cell attribute<br /> would still provide read access to everybody.<br /> <br /> Mask out permissions not available on the main attribute.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: discard write access to the directory open<br /> <br /> may_open() does not allow a directory to be opened with the write access.<br /> However, some writing flags set by client result in adding write access<br /> on server, making ksmbd incompatible with FUSE file system. Simply, let&amp;#39;s<br /> discard the write access when opening a directory.<br /> <br /> list_add corruption. next is NULL.<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:26!<br /> pc : __list_add_valid+0x88/0xbc<br /> lr : __list_add_valid+0x88/0xbc<br /> Call trace:<br /> __list_add_valid+0x88/0xbc<br /> fuse_finish_open+0x11c/0x170<br /> fuse_open_common+0x284/0x5e8<br /> fuse_dir_open+0x14/0x24<br /> do_dentry_open+0x2a4/0x4e0<br /> dentry_open+0x50/0x80<br /> smb2_open+0xbe4/0x15a4<br /> handle_ksmbd_work+0x478/0x5ec<br /> process_one_work+0x1b4/0x448<br /> worker_thread+0x25c/0x430<br /> kthread+0x104/0x1d4<br /> ret_from_fork+0x10/0x20

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/filemap: skip to create PMD-sized page cache if needed<br /> <br /> On ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The<br /> PMD-sized page cache can&amp;#39;t be supported by xarray as the following error<br /> messages indicate.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128<br /> Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \<br /> nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \<br /> nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \<br /> ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \<br /> fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \<br /> sha1_ce virtio_net net_failover virtio_console virtio_blk failover \<br /> dimlib virtio_mmio<br /> CPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9<br /> Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024<br /> pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> pc : xas_split_alloc+0xf8/0x128<br /> lr : split_huge_page_to_list_to_order+0x1c4/0x720<br /> sp : ffff800087a4f6c0<br /> x29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff<br /> x26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858<br /> x23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000<br /> x20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000<br /> x17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000<br /> x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020<br /> x11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28<br /> x8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8<br /> x5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40<br /> x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000<br /> Call trace:<br /> xas_split_alloc+0xf8/0x128<br /> split_huge_page_to_list_to_order+0x1c4/0x720<br /> truncate_inode_partial_folio+0xdc/0x160<br /> truncate_inode_pages_range+0x1b4/0x4a8<br /> truncate_pagecache_range+0x84/0xa0<br /> xfs_flush_unmap_range+0x70/0x90 [xfs]<br /> xfs_file_fallocate+0xfc/0x4d8 [xfs]<br /> vfs_fallocate+0x124/0x2e8<br /> ksys_fallocate+0x4c/0xa0<br /> __arm64_sys_fallocate+0x24/0x38<br /> invoke_syscall.constprop.0+0x7c/0xd8<br /> do_el0_svc+0xb4/0xd0<br /> el0_svc+0x44/0x1d8<br /> el0t_64_sync_handler+0x134/0x150<br /> el0t_64_sync+0x17c/0x180<br /> <br /> Fix it by skipping to allocate PMD-sized page cache when its size is<br /> larger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to<br /> regular path where the readahead window is determined by BDI&amp;#39;s sysfs file<br /> (read_ahead_kb).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: vmalloc: check if a hash-index is in cpu_possible_mask<br /> <br /> The problem is that there are systems where cpu_possible_mask has gaps<br /> between set CPUs, for example SPARC. In this scenario addr_to_vb_xa()<br /> hash function can return an index which accesses to not-possible and not<br /> setup CPU area using per_cpu() macro. This results in an oops on SPARC.<br /> <br /> A per-cpu vmap_block_queue is also used as hash table, incorrectly<br /> assuming the cpu_possible_mask has no gaps. Fix it by adjusting an index<br /> to a next possible CPU.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachestat: do not flush stats in recency check<br /> <br /> syzbot detects that cachestat() is flushing stats, which can sleep, in its<br /> RCU read section (see [1]). This is done in the workingset_test_recent()<br /> step (which checks if the folio&amp;#39;s eviction is recent).<br /> <br /> Move the stat flushing step to before the RCU read section of cachestat,<br /> and skip stat flushing during the recency check.<br /> <br /> [1]: https://lore.kernel.org/cgroups/000000000000f71227061bdf97e0@google.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix kernel bug on rename operation of broken directory<br /> <br /> Syzbot reported that in rename directory operation on broken directory on<br /> nilfs2, __block_write_begin_int() called to prepare block write may fail<br /> BUG_ON check for access exceeding the folio/page size.<br /> <br /> This is because nilfs_dotdot(), which gets parent directory reference<br /> entry ("..") of the directory to be moved or renamed, does not check<br /> consistency enough, and may return location exceeding folio/page size for<br /> broken directories.<br /> <br /> Fix this issue by checking required directory entries ("." and "..") in<br /> the first chunk of the directory in nilfs_dotdot().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> misc: fastrpc: Fix memory leak in audio daemon attach operation<br /> <br /> Audio PD daemon send the name as part of the init IOCTL call. This<br /> name needs to be copied to kernel for which memory is allocated.<br /> This memory is never freed which might result in memory leak. Free<br /> the memory when it is not needed.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: toshiba_acpi: Fix array out-of-bounds access<br /> <br /> In order to use toshiba_dmi_quirks[] together with the standard DMI<br /> matching functions, it must be terminated by a empty entry.<br /> <br /> Since this entry is missing, an array out-of-bounds access occurs<br /> every time the quirk list is processed.<br /> <br /> Fix this by adding the terminating empty entry.

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application&amp;#39;s database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9.

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm.