Vulnerabilidades

*** Pendiente de traducción *** In multiple locations, there is a possible lock screen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

*** Pendiente de traducción *** In MMapVAccess of pmr_os.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

*** Pendiente de traducción *** In multiple functions of UserController.java, there is a possible lock screen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

*** Pendiente de traducción *** In bta_av_config_ind of bta_av_aact.cc, there is a possible out of bounds read due to type confusion. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

*** Pendiente de traducción *** pgAdmin

*** Pendiente de traducción *** PHPGurukul Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) in /admin/updateorder.php.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Validate UAC3 power domain descriptors, too<br /> <br /> UAC3 power domain descriptors need to be verified with its variable<br /> bLength for avoiding the unexpected OOB accesses by malicious<br /> firmware, too.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/net: commit partial buffers on retry<br /> <br /> Ring provided buffers are potentially only valid within the single<br /> execution context in which they were acquired. io_uring deals with this<br /> and invalidates them on retry. But on the networking side, if<br /> MSG_WAITALL is set, or if the socket is of the streaming type and too<br /> little was processed, then it will hang on to the buffer rather than<br /> recycle or commit it. This is problematic for two reasons:<br /> <br /> 1) If someone unregisters the provided buffer ring before a later retry,<br /> then the req-&gt;buf_list will no longer be valid.<br /> <br /> 2) If multiple sockers are using the same buffer group, then multiple<br /> receives can consume the same memory. This can cause data corruption<br /> in the application, as either receive could land in the same<br /> userspace buffer.<br /> <br /> Fix this by disallowing partial retries from pinning a provided buffer<br /> across multiple executions, if ring provided buffers are used.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb3: fix for slab out of bounds on mount to ksmbd<br /> <br /> With KASAN enabled, it is possible to get a slab out of bounds<br /> during mount to ksmbd due to missing check in parse_server_interfaces()<br /> (see below):<br /> <br /> BUG: KASAN: slab-out-of-bounds in<br /> parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> Read of size 4 at addr ffff8881433dba98 by task mount/9827<br /> <br /> CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G<br /> OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,<br /> BIOS 2.13.1 06/14/2019<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x9f/0xf0<br /> print_report+0xd1/0x670<br /> __virt_addr_valid+0x22c/0x430<br /> ? parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> ? kasan_complete_mode_report_info+0x2a/0x1f0<br /> ? parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> kasan_report+0xd6/0x110<br /> parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> __asan_report_load_n_noabort+0x13/0x20<br /> parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]<br /> ? trace_hardirqs_on+0x51/0x60<br /> SMB3_request_interfaces+0x1ad/0x3f0 [cifs]<br /> ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]<br /> ? SMB2_tcon+0x23c/0x15d0 [cifs]<br /> smb3_qfs_tcon+0x173/0x2b0 [cifs]<br /> ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]<br /> ? cifs_get_tcon+0x105d/0x2120 [cifs]<br /> ? do_raw_spin_unlock+0x5d/0x200<br /> ? cifs_get_tcon+0x105d/0x2120 [cifs]<br /> ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]<br /> cifs_mount_get_tcon+0x369/0xb90 [cifs]<br /> ? dfs_cache_find+0xe7/0x150 [cifs]<br /> dfs_mount_share+0x985/0x2970 [cifs]<br /> ? check_path.constprop.0+0x28/0x50<br /> ? save_trace+0x54/0x370<br /> ? __pfx_dfs_mount_share+0x10/0x10 [cifs]<br /> ? __lock_acquire+0xb82/0x2ba0<br /> ? __kasan_check_write+0x18/0x20<br /> cifs_mount+0xbc/0x9e0 [cifs]<br /> ? __pfx_cifs_mount+0x10/0x10 [cifs]<br /> ? do_raw_spin_unlock+0x5d/0x200<br /> ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]<br /> cifs_smb3_do_mount+0x263/0x1990 [cifs]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netlink: avoid infinite retry looping in netlink_unicast()<br /> <br /> netlink_attachskb() checks for the socket&amp;#39;s read memory allocation<br /> constraints. Firstly, it has:<br /> <br /> rmem sk_rcvbuf)<br /> <br /> to check if the just increased rmem value fits into the socket&amp;#39;s receive<br /> buffer. If not, it proceeds and tries to wait for the memory under:<br /> <br /> rmem + skb-&gt;truesize &gt; READ_ONCE(sk-&gt;sk_rcvbuf)<br /> <br /> The checks don&amp;#39;t cover the case when skb-&gt;truesize + sk-&gt;sk_rmem_alloc is<br /> equal to sk-&gt;sk_rcvbuf. Thus the function neither successfully accepts<br /> these conditions, nor manages to reschedule the task - and is called in<br /> retry loop for indefinite time which is caught as:<br /> <br /> rcu: INFO: rcu_sched self-detected stall on CPU<br /> rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212<br /> (t=26000 jiffies g=230833 q=259957)<br /> NMI backtrace for cpu 0<br /> CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack lib/dump_stack.c:120<br /> nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105<br /> nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62<br /> rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335<br /> rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590<br /> update_process_times kernel/time/timer.c:1953<br /> tick_sched_handle kernel/time/tick-sched.c:227<br /> tick_sched_timer kernel/time/tick-sched.c:1399<br /> __hrtimer_run_queues kernel/time/hrtimer.c:1652<br /> hrtimer_interrupt kernel/time/hrtimer.c:1717<br /> __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113<br /> asm_call_irq_on_stack arch/x86/entry/entry_64.S:808<br /> <br /> <br /> netlink_attachskb net/netlink/af_netlink.c:1234<br /> netlink_unicast net/netlink/af_netlink.c:1349<br /> kauditd_send_queue kernel/audit.c:776<br /> kauditd_thread kernel/audit.c:897<br /> kthread kernel/kthread.c:328<br /> ret_from_fork arch/x86/entry/entry_64.S:304<br /> <br /> Restore the original behavior of the check which commit in Fixes<br /> accidentally missed when restructuring the code.<br /> <br /> Found by Linux Verification Center (linuxtesting.org).

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: asix_devices: add phy_mask for ax88772 mdio bus<br /> <br /> Without setting phy_mask for ax88772 mdio bus, current driver may create<br /> at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.<br /> DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy<br /> device will bind to net phy driver. This is creating issue during system<br /> suspend/resume since phy_polling_mode() in phy_state_machine() will<br /> directly deference member of phydev-&gt;drv for non-main phy devices. Then<br /> NULL pointer dereference issue will occur. Due to only external phy or<br /> internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud<br /> the issue.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()<br /> <br /> Lei Lu recently reported that nfsd4_setclientid_confirm() did not check<br /> the return value from get_client_locked(). a SETCLIENTID_CONFIRM could<br /> race with a confirmed client expiring and fail to get a reference. That<br /> could later lead to a UAF.<br /> <br /> Fix this by getting a reference early in the case where there is an<br /> extant confirmed client. If that fails then treat it as if there were no<br /> confirmed client found at all.<br /> <br /> In the case where the unconfirmed client is expiring, just fail and<br /> return the result from get_client_locked().