Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix NULL pointer dereference at hibernate<br /> <br /> During hibernate sequence the source context might not have a clk_mgr.<br /> So don&amp;#39;t use it to look for DML2 support.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/sched: Fix bounds limiting when given a malformed entity<br /> <br /> If we&amp;#39;re given a malformed entity in drm_sched_entity_init()--shouldn&amp;#39;t<br /> happen, but we verify--with out-of-bounds priority value, we set it to an<br /> allowed value. Fix the expression which sets this limit.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: fix check for attempt to corrupt spilled pointer<br /> <br /> When register is spilled onto a stack as a 1/2/4-byte register, we set<br /> slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,<br /> depending on actual spill size). So to check if some stack slot has<br /> spilled register we need to consult slot_type[7], not slot_type[0].<br /> <br /> To avoid the need to remember and double-check this in the future, just<br /> use is_spilled_reg() helper.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efivarfs: force RO when remounting if SetVariable is not supported<br /> <br /> If SetVariable at runtime is not supported by the firmware we never assign<br /> a callback for that function. At the same time mount the efivarfs as<br /> RO so no one can call that. However, we never check the permission flags<br /> when someone remounts the filesystem as RW. As a result this leads to a<br /> crash looking like this:<br /> <br /> $ mount -o remount,rw /sys/firmware/efi/efivars<br /> $ efi-updatevar -f PK.auth PK<br /> <br /> [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> [ 303.280482] Mem abort info:<br /> [ 303.280854] ESR = 0x0000000086000004<br /> [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits<br /> [ 303.282016] SET = 0, FnV = 0<br /> [ 303.282414] EA = 0, S1PTW = 0<br /> [ 303.282821] FSC = 0x04: level 0 translation fault<br /> [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000<br /> [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000<br /> [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP<br /> [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6<br /> [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1<br /> [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023<br /> [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 303.292123] pc : 0x0<br /> [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec<br /> [ 303.293156] sp : ffff800008673c10<br /> [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000<br /> [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027<br /> [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000<br /> [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000<br /> [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54<br /> [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4<br /> [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002<br /> [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201<br /> [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc<br /> [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000<br /> [ 303.303341] Call trace:<br /> [ 303.303679] 0x0<br /> [ 303.303938] efivar_entry_set_get_size+0x98/0x16c<br /> [ 303.304585] efivarfs_file_write+0xd0/0x1a4<br /> [ 303.305148] vfs_write+0xc4/0x2e4<br /> [ 303.305601] ksys_write+0x70/0x104<br /> [ 303.306073] __arm64_sys_write+0x1c/0x28<br /> [ 303.306622] invoke_syscall+0x48/0x114<br /> [ 303.307156] el0_svc_common.constprop.0+0x44/0xec<br /> [ 303.307803] do_el0_svc+0x38/0x98<br /> [ 303.308268] el0_svc+0x2c/0x84<br /> [ 303.308702] el0t_64_sync_handler+0xf4/0x120<br /> [ 303.309293] el0t_64_sync+0x190/0x194<br /> [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????)<br /> [ 303.310612] ---[ end trace 0000000000000000 ]---<br /> <br /> Fix this by adding a .reconfigure() function to the fs operations which<br /> we can use to check the requested flags and deny anything that&amp;#39;s not RO<br /> if the firmware doesn&amp;#39;t implement SetVariable at runtime.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> EDAC/thunderx: Fix possible out-of-bounds string access<br /> <br /> Enabling -Wstringop-overflow globally exposes a warning for a common bug<br /> in the usage of strncat():<br /> <br /> drivers/edac/thunderx_edac.c: In function &amp;#39;thunderx_ocx_com_threaded_isr&amp;#39;:<br /> drivers/edac/thunderx_edac.c:1136:17: error: &amp;#39;strncat&amp;#39; specified bound 1024 equals destination size [-Werror=stringop-overflow=]<br /> 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);<br /> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /> ...<br /> 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);<br /> ...<br /> 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);<br /> <br /> ...<br /> <br /> Apparently the author of this driver expected strncat() to behave the<br /> way that strlcat() does, which uses the size of the destination buffer<br /> as its third argument rather than the length of the source buffer. The<br /> result is that there is no check on the size of the allocated buffer.<br /> <br /> Change it to strlcat().<br /> <br /> [ bp: Trim compiler output, fixup commit message. ]

A vulnerability was found in CodeAstro Membership Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /uploads/ of the component Logo Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-254606 is the identifier assigned to this vulnerability.

A vulnerability was found in CodeAstro Membership Management System 1.0. It has been classified as critical. This affects an unknown part of the component Add Members Tab. The manipulation of the argument Member Photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254607.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: validate mech token in session setup<br /> <br /> If client send invalid mech token in session setup request, ksmbd<br /> validate and make the error if it is invalid.

A vulnerability has been found in Demososo DM Enterprise Website Building System up to 2022.8 and classified as critical. Affected by this vulnerability is the function dmlogin of the file indexDM_load.php of the component Cookie Handler. The manipulation of the argument is_admin with the input y leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Server-Side Request Forgery (SSRF) vulnerability in Raaj Trambadia Pexels: Free Stock Photos.This issue affects Pexels: Free Stock Photos: from n/a through 1.2.2.<br /> <br />

Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Sitepact.This issue affects Sitepact: from n/a through 1.0.5.

Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Arne Franken All In One Favicon.This issue affects All In One Favicon: from n/a through 4.7.<br /> <br />