Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: n_gsm: Fix use-after-free in gsm_cleanup_mux<br /> <br /> BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0<br /> drivers/tty/n_gsm.c:3160 [n_gsm]<br /> Read of size 8 at addr ffff88815fe99c00 by task poc/3379<br /> CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56<br /> Hardware name: VMware, Inc. VMware Virtual Platform/440BX<br /> Desktop Reference Platform, BIOS 6.00 11/12/2020<br /> Call Trace:<br /> <br /> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]<br /> __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]<br /> __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389<br /> update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500<br /> __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846<br /> __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161<br /> gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]<br /> _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107<br /> __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]<br /> ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195<br /> ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79<br /> __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338<br /> __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805<br /> tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818<br /> <br /> Allocated by task 65:<br /> gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]<br /> gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]<br /> gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]<br /> gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]<br /> tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391<br /> tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39<br /> flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445<br /> process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229<br /> worker_thread+0x3dc/0x950 kernel/workqueue.c:3391<br /> kthread+0x2a3/0x370 kernel/kthread.c:389<br /> ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257<br /> <br /> Freed by task 3367:<br /> kfree+0x126/0x420 mm/slub.c:4580<br /> gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]<br /> gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]<br /> tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818<br /> <br /> [Analysis]<br /> gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux<br /> can be freed by multi threads through ioctl,which leads<br /> to the occurrence of uaf. Protect it by gsm tx lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parport: Proper fix for array out-of-bounds access<br /> <br /> The recent fix for array out-of-bounds accesses replaced sprintf()<br /> calls blindly with snprintf(). However, since snprintf() returns the<br /> would-be-printed size, not the actually output size, the length<br /> calculation can still go over the given limit.<br /> <br /> Use scnprintf() instead of snprintf(), which returns the actually<br /> output letters, for addressing the potential out-of-bounds access<br /> properly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: ISO: Fix multiple init when debugfs is disabled<br /> <br /> If bt_debugfs is not created successfully, which happens if either<br /> CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init()<br /> returns early and does not set iso_inited to true. This means that a<br /> subsequent call to iso_init() will result in duplicate calls to<br /> proto_register(), bt_sock_register(), etc.<br /> <br /> With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the<br /> duplicate call to proto_register() triggers this BUG():<br /> <br /> list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250,<br /> next=ffffffffc0b280d0.<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:35!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1<br /> RIP: 0010:__list_add_valid_or_report+0x9a/0xa0<br /> ...<br /> __list_add_valid_or_report+0x9a/0xa0<br /> proto_register+0x2b5/0x340<br /> iso_init+0x23/0x150 [bluetooth]<br /> set_iso_socket_func+0x68/0x1b0 [bluetooth]<br /> kmem_cache_free+0x308/0x330<br /> hci_sock_sendmsg+0x990/0x9e0 [bluetooth]<br /> __sock_sendmsg+0x7b/0x80<br /> sock_write_iter+0x9a/0x110<br /> do_iter_readv_writev+0x11d/0x220<br /> vfs_writev+0x180/0x3e0<br /> do_writev+0xca/0x100<br /> ...<br /> <br /> This change removes the early return. The check for iso_debugfs being<br /> NULL was unnecessary, it is always NULL when iso_inited is false.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Call iso_exit() on module unload<br /> <br /> If iso_init() has been called, iso_exit() must be called on module<br /> unload. Without that, the struct proto that iso_init() registered with<br /> proto_register() becomes invalid, which could cause unpredictable<br /> problems later. In my case, with CONFIG_LIST_HARDENED and<br /> CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually<br /> triggers this BUG():<br /> <br /> list_add corruption. next-&gt;prev should be prev (ffffffffb5355fd0),<br /> but was 0000000000000068. (next=ffffffffc0a010d0).<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:29!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1<br /> RIP: 0010:__list_add_valid_or_report+0x61/0xa0<br /> ...<br /> __list_add_valid_or_report+0x61/0xa0<br /> proto_register+0x299/0x320<br /> hci_sock_init+0x16/0xc0 [bluetooth]<br /> bt_init+0x68/0xd0 [bluetooth]<br /> __pfx_bt_init+0x10/0x10 [bluetooth]<br /> do_one_initcall+0x80/0x2f0<br /> do_init_module+0x8b/0x230<br /> __do_sys_init_module+0x15f/0x190<br /> do_syscall_64+0x68/0x110<br /> ...

A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms up to 2.0.1. This issue affects some unknown processing of the file /admin#article/edit?id=2 of the component Edit Article Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP.

A vulnerability classified as problematic was found in LinZhaoguan pb-cms up to 2.0.1. This vulnerability affects unknown code of the file /admin#permissions of the component Permission Management Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.

Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Processing a maliciously crafted file may lead to unexpected app termination.