Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/xen: Drop USERGS_SYSRET64 paravirt call<br /> <br /> commit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream.<br /> <br /> USERGS_SYSRET64 is used to return from a syscall via SYSRET, but<br /> a Xen PV guest will nevertheless use the IRET hypercall, as there<br /> is no sysret PV hypercall defined.<br /> <br /> So instead of testing all the prerequisites for doing a sysret and<br /> then mangling the stack for Xen PV again for doing an iret just use<br /> the iret exit from the beginning.<br /> <br /> This can easily be done via an ALTERNATIVE like it is done for the<br /> sysenter compat case already.<br /> <br /> It should be noted that this drops the optimization in Xen for not<br /> restoring a few registers when returning to user mode, but it seems<br /> as if the saved instructions in the kernel more than compensate for<br /> this drop (a kernel build in a Xen PV guest was slightly faster with<br /> this patch applied).<br /> <br /> While at it remove the stale sysret32 remnants.<br /> <br /> [ pawan: Brad Spengler and Salvatore Bonaccorso <br /> reported a problem with the 5.10 backport commit edc702b4a820<br /> ("x86/entry_64: Add VERW just before userspace transition").<br /> <br /> When CONFIG_PARAVIRT_XXL=y, CLEAR_CPU_BUFFERS is not executed in<br /> syscall_return_via_sysret path as USERGS_SYSRET64 is runtime<br /> patched to:<br /> <br /> .cpu_usergs_sysret64 = { 0x0f, 0x01, 0xf8,<br /> 0x48, 0x0f, 0x07 }, // swapgs; sysretq<br /> <br /> which is missing CLEAR_CPU_BUFFERS. It turns out dropping<br /> USERGS_SYSRET64 simplifies the code, allowing CLEAR_CPU_BUFFERS<br /> to be explicitly added to syscall_return_via_sysret path. Below<br /> is with CONFIG_PARAVIRT_XXL=y and this patch applied:<br /> <br /> syscall_return_via_sysret:<br /> ...<br /> : swapgs<br /> : xchg %ax,%ax<br /> : verw -0x1a2(%rip)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: lgdt3306a: Add a check against null-pointer-def<br /> <br /> The driver should check whether the client provides the platform_data.<br /> <br /> The following log reveals it:<br /> <br /> [ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40<br /> [ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414<br /> [ 29.612820] Call Trace:<br /> [ 29.613030] <br /> [ 29.613201] dump_stack_lvl+0x56/0x6f<br /> [ 29.613496] ? kmemdup+0x30/0x40<br /> [ 29.613754] print_report.cold+0x494/0x6b7<br /> [ 29.614082] ? kmemdup+0x30/0x40<br /> [ 29.614340] kasan_report+0x8a/0x190<br /> [ 29.614628] ? kmemdup+0x30/0x40<br /> [ 29.614888] kasan_check_range+0x14d/0x1d0<br /> [ 29.615213] memcpy+0x20/0x60<br /> [ 29.615454] kmemdup+0x30/0x40<br /> [ 29.615700] lgdt3306a_probe+0x52/0x310<br /> [ 29.616339] i2c_device_probe+0x951/0xa90

A buffer overflow in PX4-Autopilot v1.12.3 allows attackers to cause a Denial of Service (DoS) via a crafted MavLink message.

PX4-Autopilot v1.14.3 was discovered to contain a buffer overflow via the topic_name parameter at /logger/logged_topics.cpp.

The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;url&amp;#39; attribute within the plugin&amp;#39;s Icon and Heading widgets in all versions up to, and including, 11.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.

A leftover debug code vulnerability exists in the cli_server debug functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs

Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to send redaction events.

Missing authorization in Client-Server API in Conduit

Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab.

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date