Vulnerabilities

The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.

A vulnerability classified as critical was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256951. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods. These methods are called when php destroys the object in memory. However, it is possible to include any object type in `$this->_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this->_keys ...) for any class implementing ArrayAccess interface. This may allow an attacker to execute any PHP command which leads to remote code execution. This issue has been addressed in version 1.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

A logic issue was addressed with improved state management.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix memory leak in ext4_fill_super<br /> <br /> Buffer head references must be released before calling kill_bdev();<br /> otherwise the buffer head (and its page referenced by b_data) will not<br /> be freed by kill_bdev, and subsequently that bh will be leaked.<br /> <br /> If blocksizes differ, sb_set_blocksize() will kill current buffers and<br /> page cache by using kill_bdev(). And then super block will be reread<br /> again but using correct blocksize this time. sb_set_blocksize() didn&amp;#39;t<br /> fully free superblock page and buffer head, and being busy, they were<br /> not freed and instead leaked.<br /> <br /> This can easily be reproduced by calling an infinite loop of:<br /> <br /> systemctl start .mount, and<br /> systemctl stop .mount<br /> <br /> ... since systemd creates a cgroup for each slice which it mounts, and<br /> the bh leak get amplified by a dying memory cgroup that also never<br /> gets freed, and memory consumption is much more easily noticed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: magicmouse: fix NULL-deref on disconnect<br /> <br /> Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic<br /> Trackpad 2") added a sanity check for an Apple trackpad but returned<br /> success instead of -ENODEV when the check failed. This means that the<br /> remove callback will dereference the never-initialised driver data<br /> pointer when the driver is later unbound (e.g. on USB disconnect).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: caif: fix memory leak in cfusbl_device_notify<br /> <br /> In case of caif_enroll_dev() fail, allocated<br /> link_support won&amp;#39;t be assigned to the corresponding<br /> structure. So simply free allocated pointer in case<br /> of error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: caif: fix memory leak in caif_device_notify<br /> <br /> In case of caif_enroll_dev() fail, allocated<br /> link_support won&amp;#39;t be assigned to the corresponding<br /> structure. So simply free allocated pointer in case<br /> of error

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix ltout double free on completion race<br /> <br /> Always remove linked timeout on io_link_timeout_fn() from the master<br /> request link list, otherwise we may get use-after-free when first<br /> io_link_timeout_fn() puts linked timeout in the fail path, and then<br /> will be found and put on master&amp;#39;s free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix link timeout refs<br /> <br /> WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28<br /> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28<br /> Call Trace:<br /> __refcount_sub_and_test include/linux/refcount.h:283 [inline]<br /> __refcount_dec_and_test include/linux/refcount.h:315 [inline]<br /> refcount_dec_and_test include/linux/refcount.h:333 [inline]<br /> io_put_req fs/io_uring.c:2140 [inline]<br /> io_queue_linked_timeout fs/io_uring.c:6300 [inline]<br /> __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354<br /> io_submit_sqe fs/io_uring.c:6534 [inline]<br /> io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660<br /> __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]<br /> __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182<br /> <br /> io_link_timeout_fn() should put only one reference of the linked timeout<br /> request, however in case of racing with the master request&amp;#39;s completion<br /> first io_req_complete() puts one and then io_put_req_deferred() is<br /> called.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sch_htb: fix refcount leak in htb_parent_to_leaf_offload<br /> <br /> The commit ae81feb7338c ("sch_htb: fix null pointer dereference<br /> on a null new_q") fixes a NULL pointer dereference bug, but it<br /> is not correct.<br /> <br /> Because htb_graft_helper properly handles the case when new_q<br /> is NULL, and after the previous patch by skipping this call<br /> which creates an inconsistency : dev_queue-&gt;qdisc will still<br /> point to the old qdisc, but cl-&gt;parent-&gt;leaf.q will point to<br /> the new one (which will be noop_qdisc, because new_q was NULL).<br /> The code is based on an assumption that these two pointers are<br /> the same, so it can lead to refcount leaks.<br /> <br /> The correct fix is to add a NULL pointer check to protect<br /> qdisc_refcount_inc inside htb_parent_to_leaf_offload.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions<br /> <br /> Reported by syzbot:<br /> HEAD commit: 90c911ad Merge tag &amp;#39;fixes&amp;#39; of git://git.kernel.org/pub/scm..<br /> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master<br /> dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7<br /> compiler: Debian clang version 11.0.1-2<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]<br /> BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732<br /> Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760<br /> <br /> CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:79 [inline]<br /> dump_stack+0x202/0x31e lib/dump_stack.c:120<br /> print_address_description+0x5f/0x3b0 mm/kasan/report.c:232<br /> __kasan_report mm/kasan/report.c:399 [inline]<br /> kasan_report+0x15c/0x200 mm/kasan/report.c:416<br /> fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]<br /> fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732<br /> fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536<br /> fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174<br /> rcu_do_batch kernel/rcu/tree.c:2559 [inline]<br /> rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794<br /> __do_softirq+0x372/0x7a6 kernel/softirq.c:345<br /> invoke_softirq kernel/softirq.c:221 [inline]<br /> __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422<br /> irq_exit_rcu+0x5/0x20 kernel/softirq.c:434<br /> sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100<br /> <br /> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632<br /> RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515<br /> Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d<br /> RSP: 0018:ffffc90009e06560 EFLAGS: 00000206<br /> RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1<br /> R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000<br /> R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4<br /> rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267<br /> rcu_read_lock include/linux/rcupdate.h:656 [inline]<br /> ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231<br /> ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212<br /> ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379<br /> ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982<br /> ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238<br /> ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638<br /> ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848<br /> ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900<br /> ext4_append+0x1a4/0x360 fs/ext4/namei.c:67<br /> ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768<br /> ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814<br /> vfs_mkdir+0x45b/0x640 fs/namei.c:3819<br /> ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]<br /> ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146<br /> ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193<br /> ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788<br /> ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355<br /> ovl_get_workdir fs/overlayfs/super.c:1492 [inline]<br /> ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035<br /> mount_nodev+0x52/0xe0 fs/super.c:1413<br /> legacy_get_tree+0xea/0x180 fs/fs_context.c:592<br /> vfs_get_tree+0x86/0x270 fs/super.c:1497<br /> do_new_mount fs/namespace.c:2903 [inline]<br /> path_mount+0x196f/0x2be0 fs/namespace.c:3233<br /> do_mount fs/namespace.c:3246 [inline]<br /> __do_sys_mount fs/namespace.c:3454 [inline]<br /> __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431<br /> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x4665f9<br /> Code: ff ff c3 66 2e 0f 1f 84 <br /> ---truncated---