Vulnerabilities

An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device.

NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg<br /> <br /> Syzbot reports [1] an uninitialized value issue found by KMSAN in<br /> dib3000_read_reg().<br /> <br /> Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case<br /> that call fails, the buffer may end up with some undefined values.<br /> <br /> Since no elaborate error handling is expected in dib3000_write_reg(),<br /> simply zero out rb buffer to mitigate the problem.<br /> <br /> [1] Syzkaller report<br /> dvb-usb: bulk message failed: -22 (6/0)<br /> =====================================================<br /> BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758<br /> dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758<br /> dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31<br /> dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290<br /> dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline]<br /> dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline]<br /> dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310<br /> dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110<br /> ...<br /> Local variable rb created at:<br /> dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54<br /> dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758<br /> ...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP<br /> <br /> On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP<br /> disabled can trigger the following bug, as pcpu_hot is unavailable:<br /> <br /> [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c<br /> [ 8.471849] #PF: supervisor read access in kernel mode<br /> [ 8.471881] #PF: error_code(0x0000) - not-present page<br /> <br /> Fix by inlining a return 0 in the !CONFIG_SMP case.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: rawnand: fix double free in atmel_pmecc_create_user()<br /> <br /> The "user" pointer was converted from being allocated with kzalloc() to<br /> being allocated by devm_kzalloc(). Calling kfree(user) will lead to a<br /> double free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset<br /> <br /> The at_xdmac_memset_create_desc may return NULL, which will lead to a<br /> null pointer dereference. For example, the len input is error, or the<br /> atchan-&gt;free_descs_list is empty and memory is exhausted. Therefore, add<br /> check to avoid this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: detach gendisk from ublk device if add_disk() fails<br /> <br /> Inside ublk_abort_requests(), gendisk is grabbed for aborting all<br /> inflight requests. And ublk_abort_requests() is called when exiting<br /> the uring context or handling timeout.<br /> <br /> If add_disk() fails, the gendisk may have been freed when calling<br /> ublk_abort_requests(), so use-after-free can be caused when getting<br /> disk&amp;#39;s reference in ublk_abort_requests().<br /> <br /> Fixes the bug by detaching gendisk from ublk device if add_disk() fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Prevent bad count for tracing_cpumask_write<br /> <br /> If a large count is provided, it will trigger a warning in bitmap_parse_user.<br /> Also check zero for it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/pseries/vas: Add close() callback in vas_vm_ops struct<br /> <br /> The mapping VMA address is saved in VAS window struct when the<br /> paste address is mapped. This VMA address is used during migration<br /> to unmap the paste address if the window is active. The paste<br /> address mapping will be removed when the window is closed or with<br /> the munmap(). But the VMA address in the VAS window is not updated<br /> with munmap() which is causing invalid access during migration.<br /> <br /> The KASAN report shows:<br /> [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8<br /> [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928<br /> <br /> [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2<br /> [16386.255128] Tainted: [B]=BAD_PAGE<br /> [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries<br /> [16386.255181] Call Trace:<br /> [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable)<br /> [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764<br /> [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8<br /> [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0<br /> [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8<br /> [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc<br /> [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4<br /> ...<br /> <br /> [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s:<br /> [16386.256149] kasan_save_stack+0x34/0x68<br /> [16386.256163] kasan_save_track+0x34/0x80<br /> [16386.256175] kasan_save_alloc_info+0x58/0x74<br /> [16386.256196] __kasan_slab_alloc+0xb8/0xdc<br /> [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0<br /> [16386.256225] vm_area_alloc+0x44/0x150<br /> [16386.256245] mmap_region+0x214/0x10c4<br /> [16386.256265] do_mmap+0x5fc/0x750<br /> [16386.256277] vm_mmap_pgoff+0x14c/0x24c<br /> [16386.256292] ksys_mmap_pgoff+0x20c/0x348<br /> [16386.256303] sys_mmap+0xd0/0x160<br /> ...<br /> <br /> [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s:<br /> [16386.256363] kasan_save_stack+0x34/0x68<br /> [16386.256374] kasan_save_track+0x34/0x80<br /> [16386.256384] kasan_save_free_info+0x64/0x10c<br /> [16386.256396] __kasan_slab_free+0x120/0x204<br /> [16386.256415] kmem_cache_free+0x128/0x450<br /> [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8<br /> [16386.256441] rcu_do_batch+0x2c8/0xcf0<br /> [16386.256458] rcu_core+0x378/0x3c4<br /> [16386.256473] handle_softirqs+0x20c/0x60c<br /> [16386.256495] do_softirq_own_stack+0x6c/0x88<br /> [16386.256509] do_softirq_own_stack+0x58/0x88<br /> [16386.256521] __irq_exit_rcu+0x1a4/0x20c<br /> [16386.256533] irq_exit+0x20/0x38<br /> [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c<br /> ...<br /> <br /> [16386.256717] Last potentially related work creation:<br /> [16386.256729] kasan_save_stack+0x34/0x68<br /> [16386.256741] __kasan_record_aux_stack+0xcc/0x12c<br /> [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04<br /> [16386.256766] vm_area_free+0x28/0x3c<br /> [16386.256778] remove_vma+0xf4/0x114<br /> [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870<br /> [16386.256811] __vm_munmap+0xe0/0x1f8<br /> [16386.256821] sys_munmap+0x54/0x6c<br /> [16386.256830] system_call_exception+0x1a0/0x4a0<br /> [16386.256841] system_call_vectored_common+0x15c/0x2ec<br /> <br /> [16386.256868] The buggy address belongs to the object at c00000014a819670<br /> which belongs to the cache vm_area_struct of size 168<br /> [16386.256887] The buggy address is located 0 bytes inside of<br /> freed 168-byte region [c00000014a819670, c00000014a819718)<br /> <br /> [16386.256915] The buggy address belongs to the physical page:<br /> [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81<br /> [16386.256950] memcg:c0000000ba430001<br /> [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff)<br /> [16386.256975] page_type: 0xfdffffff(slab)<br /> [16386<br /> ---truncated---