Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Check NULL before accessing<br /> <br /> [WHAT]<br /> IGT kms_cursor_legacy&amp;#39;s long-nonblocking-modeset-vs-cursor-atomic<br /> fails with NULL pointer dereference. This can be reproduced with<br /> both an eDP panel and a DP monitors connected.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted<br /> 6.16.0-99-custom #8 PREEMPT(voluntary)<br /> Hardware name: AMD ........<br /> RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]<br /> Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49<br /> 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30<br /> c2 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02<br /> RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668<br /> RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000<br /> RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760<br /> R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000<br /> R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c<br /> FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]<br /> amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]<br /> ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]<br /> amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]<br /> drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400<br /> drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30<br /> drm_crtc_get_last_vbltimestamp+0x55/0x90<br /> drm_crtc_next_vblank_start+0x45/0xa0<br /> drm_atomic_helper_wait_for_fences+0x81/0x1f0<br /> ...<br /> <br /> (cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths<br /> <br /> This patch addresses a race condition caused by unsynchronized<br /> execution of multiple call paths invoking `dwc3_remove_requests()`,<br /> leading to premature freeing of USB requests and subsequent crashes.<br /> <br /> Three distinct execution paths interact with `dwc3_remove_requests()`:<br /> Path 1:<br /> Triggered via `dwc3_gadget_reset_interrupt()` during USB reset<br /> handling. The call stack includes:<br /> - `dwc3_ep0_reset_state()`<br /> - `dwc3_ep0_stall_and_restart()`<br /> - `dwc3_ep0_out_start()`<br /> - `dwc3_remove_requests()`<br /> - `dwc3_gadget_del_and_unmap_request()`<br /> <br /> Path 2:<br /> Also initiated from `dwc3_gadget_reset_interrupt()`, but through<br /> `dwc3_stop_active_transfers()`. The call stack includes:<br /> - `dwc3_stop_active_transfers()`<br /> - `dwc3_remove_requests()`<br /> - `dwc3_gadget_del_and_unmap_request()`<br /> <br /> Path 3:<br /> Occurs independently during `adb root` execution, which triggers<br /> USB function unbind and bind operations. The sequence includes:<br /> - `gserial_disconnect()`<br /> - `usb_ep_disable()`<br /> - `dwc3_gadget_ep_disable()`<br /> - `dwc3_remove_requests()` with `-ESHUTDOWN` status<br /> <br /> Path 3 operates asynchronously and lacks synchronization with Paths<br /> 1 and 2. When Path 3 completes, it disables endpoints and frees &amp;#39;out&amp;#39;<br /> requests. If Paths 1 or 2 are still processing these requests,<br /> accessing freed memory leads to a crash due to use-after-free conditions.<br /> <br /> To fix this added check for request completion and skip processing<br /> if already completed and added the request status for ep0 while queue.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: storage: Fix memory leak in USB bulk transport<br /> <br /> A kernel memory leak was identified by the &amp;#39;ioctl_sg01&amp;#39; test from Linux<br /> Test Project (LTP). The following bytes were mainly observed: 0x53425355.<br /> <br /> When USB storage devices incorrectly skip the data phase with status data,<br /> the code extracts/validates the CSW from the sg buffer, but fails to clear<br /> it afterwards. This leaves status protocol data in srb&amp;#39;s transfer buffer,<br /> such as the US_BULK_CS_SIGN &amp;#39;USBS&amp;#39; signature observed here. Thus, this can<br /> lead to USB protocols leaks to user space through SCSI generic (/dev/sg*)<br /> interfaces, such as the one seen here when the LTP test requested 512 KiB.<br /> <br /> Fix the leak by zeroing the CSW data in srb&amp;#39;s transfer buffer immediately<br /> after the validation of devices that skip data phase.<br /> <br /> Note: Differently from CVE-2018-1000204, which fixed a big leak by zero-<br /> ing pages at allocation time, this leak occurs after allocation, when USB<br /> protocol data is written to already-allocated sg pages.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_eem: Fix memory leak in eem_unwrap<br /> <br /> The existing code did not handle the failure case of usb_ep_queue in the<br /> command path, potentially leading to memory leaks.<br /> <br /> Improve error handling to free all allocated resources on usb_ep_queue<br /> failure. This patch continues to use goto logic for error handling, as the<br /> existing error handling is complex and not easily adaptable to auto-cleanup<br /> helpers.<br /> <br /> kmemleak results:<br /> unreferenced object 0xffffff895a512300 (size 240):<br /> backtrace:<br /> slab_post_alloc_hook+0xbc/0x3a4<br /> kmem_cache_alloc+0x1b4/0x358<br /> skb_clone+0x90/0xd8<br /> eem_unwrap+0x1cc/0x36c<br /> unreferenced object 0xffffff8a157f4000 (size 256):<br /> backtrace:<br /> slab_post_alloc_hook+0xbc/0x3a4<br /> __kmem_cache_alloc_node+0x1b4/0x2dc<br /> kmalloc_trace+0x48/0x140<br /> dwc3_gadget_ep_alloc_request+0x58/0x11c<br /> usb_ep_alloc_request+0x40/0xe4<br /> eem_unwrap+0x204/0x36c<br /> unreferenced object 0xffffff8aadbaac00 (size 128):<br /> backtrace:<br /> slab_post_alloc_hook+0xbc/0x3a4<br /> __kmem_cache_alloc_node+0x1b4/0x2dc<br /> __kmalloc+0x64/0x1a8<br /> eem_unwrap+0x218/0x36c<br /> unreferenced object 0xffffff89ccef3500 (size 64):<br /> backtrace:<br /> slab_post_alloc_hook+0xbc/0x3a4<br /> __kmem_cache_alloc_node+0x1b4/0x2dc<br /> kmalloc_trace+0x48/0x140<br /> eem_unwrap+0x238/0x36c

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> most: usb: fix double free on late probe failure<br /> <br /> The MOST subsystem has a non-standard registration function which frees<br /> the interface on registration failures and on deregistration.<br /> <br /> This unsurprisingly leads to bugs in the MOST drivers, and a couple of<br /> recent changes turned a reference underflow and use-after-free in the<br /> USB driver into several double free and a use-after-free on late probe<br /> failures.

*** Pendiente de traducción *** In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH

*** Pendiente de traducción *** In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page

*** Pendiente de traducción *** In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token

*** Pendiente de traducción *** In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab

*** Pendiente de traducción *** In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup

*** Pendiente de traducción *** In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: udc: fix use-after-free in usb_gadget_state_work<br /> <br /> A race condition during gadget teardown can lead to a use-after-free<br /> in usb_gadget_state_work(), as reported by KASAN:<br /> <br /> BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0<br /> Workqueue: events usb_gadget_state_work<br /> <br /> The fundamental race occurs because a concurrent event (e.g., an<br /> interrupt) can call usb_gadget_set_state() and schedule gadget-&gt;work<br /> at any time during the cleanup process in usb_del_gadget().<br /> <br /> Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after<br /> device removal") attempted to fix this by moving flush_work() to after<br /> device_del(). However, this does not fully solve the race, as a new<br /> work item can still be scheduled *after* flush_work() completes but<br /> before the gadget&amp;#39;s memory is freed, leading to the same use-after-free.<br /> <br /> This patch fixes the race condition robustly by introducing a &amp;#39;teardown&amp;#39;<br /> flag and a &amp;#39;state_lock&amp;#39; spinlock to the usb_gadget struct. The flag is<br /> set during cleanup in usb_del_gadget() *before* calling flush_work() to<br /> prevent any new work from being scheduled once cleanup has commenced.<br /> The scheduling site, usb_gadget_set_state(), now checks this flag under<br /> the lock before queueing the work, thus safely closing the race window.