Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Debian Linux Security Advisory 5371-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5371-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
March 09, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-1213 CVE-2023-1214 CVE-2023-1215 CVE-2023-1216  
                 CVE-2023-1217 CVE-2023-1218 CVE-2023-1219 CVE-2023-1220  
                 CVE-2023-1221 CVE-2023-1222 CVE-2023-1223 CVE-2023-1224  
                 CVE-2023-1225 CVE-2023-1226 CVE-2023-1227 CVE-2023-1228  
                 CVE-2023-1229 CVE-2023-1230 CVE-2023-1231 CVE-2023-1232  
                 CVE-2023-1233 CVE-2023-1234 CVE-2023-1235 CVE-2023-1236

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the stable distribution (bullseye), these problems have been fixed in  
version 111.0.5563.64-1~deb11u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQKMPAACgkQEMKTtsN8  
TjYhlg/8CfPNklE4eO+wy0otR3hUK3XNeXJqOKSUFybRmZ9223lANRVwBHHTudqh  
1Xi/PxnSDVHNH2hqVQZQwnIiTVPXedT8fgS50eoR0RfJjDSy79rL+oLNXbqb8F3/  
jY07r1McfUUIjVzg8H/jSVN0fKQG0z53RSx9eX8jITb4r4N1Wy8DQ0XzVGFTxzuR  
ao3e7kM/TW8Z/hsHSrLTJiMnqha15GGn9d8IOK5ecqEgWNIOeeDM0WQGoITuIgYq  
GqEufHOhgEDbaty6kMzYWPqeVFq/7jkTwBiMTSi6Grjwb+2KroMJPQhg5jkfslpL  
bXAom3Sr3lArp88cNR0g8p41G7MjbP1fq5STUxT056zKFGO+cySaxhn4ryMfcPFx  
dKqXSHxDSpPjLz1qFTPZovU+x0O6HIazoa4MupAhIxlLvkcdYC2/35DrCr6098HR  
X+v8psjeczukkBBzA8eIQGH07f2jWwXxSlLoNr4ClePnsk6YLvZTg0ua/snF/x5i  
NmDs2tQkhHKCkLzsu1L0uyImBuiIihBNLasNUpIinjf4iLOtSrl+vsSzOipvIwaW  
FL5LYoOPao4n+zBGjOQwUceQ9SJsB1hljk8YUfvgbotzwup5YCqRF6FwAXvlR9kh  
Eo/izaErx3FvokrfaifufKAeOrSn+AP9LsHrm2fkuCBNXqz3Z1c=gwSp  
-----END PGP SIGNATURE-----

Debian Security Advisory 5371-1

Debian Linux Security Advisory 5370-1 - Ronald Crane discovered that missing input saniting in the apr_encode functions of apr, the Apache Portable Runtime library, may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5370-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMarch 07, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : aprCVE ID         : CVE-2022-24963Ronald Crane discovered that missing input saniting in the apr_encodefunctions of apr, the Apache Portable Runtime library, may result indenial of service or potentially the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 1.7.0-6+deb11u2.We recommend that you upgrade your apr packages.For the detailed security status of apr please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/aprFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQHo6lfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RadA/9FBVTrnAYXoqBJKLvvbNvPgKJnH+Ll5pVZa6rDEmum5Hph7TEszT+yB4fk37TxZicRIQKTs1t5UPPATVGn1JXqOfNTvxqz5MDWzAe48gCF6V/xwEYqAScA6BOk9cd+5C5GFF1t/TEUz6v9I2plZ4WMjSPEW0Tl1zervirvBBSjql7RDGP/uGM+2gPzayc4ufLJEOhaprQptp6wPyMaAgd2vTNoqzVW3StZd/7aBRMSHyN9qMy+WFAUwWNBgF9Uk8LInVMNDT0JGjHFqlHXi4zHGgBCUHz3l4SWvUwBhrjX4JRcN2egZ07A/1nrN7pVgCtRPkY9vdwKTnM9yMOV5cJ0fQvYlX73Zwogay4WYWFu3lNFAW1KsnlFcGEhGIKpJCOjV+BBvcJrR9CWPChKpGTbW0naKfAXUcFBcyGsovkFfzH45idrmkNFw+oZVRLt95LhNj0/AinYuaTpT7guPnOIvblZ/g608ULAtTS/BIiN4lTiQ9gjSTWeILoYFui8ZpFcFIQMgRb8aIeyjQJOp/I/4t5dRBcKdNh7xlxgGNJTPPwY+Acpc3hippepcPdtKBq5MBPWvz5fI45DtE3Nbn0GrgPFwW0u7z8xIJ05lyLdTRTozkZTlSzmfTev58rxaUqnm+CuZEeEoCbdDZ2uOpRmP031VqXVoQKRer6xm8VkO0=J/gX-----END PGP SIGNATURE-----

Debian Security Advisory 5370-1

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 8 Feb 2023 06:45:22 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: \[vs\] heimdal: CVE-2022-45142: signature validation failure

Hi,

I am hereby publishing a vulnerability in heimdal backports by attaching
the exact mail sent to distros@...openwall.org last week.

----- Forwarded message from Helmut Grohne <helmut@...divi.de> -----

Date: Tue, 31 Jan 2023 15:52:58 +0100
From: Helmut Grohne <helmut@...divi.de>
To: distros@...openwall.org
Cc: heimdal-security@...mdal.team, Andrew Bartlett <abartlet@...ba.org>, Jeffrey Altman <jaltman@...ure-endpoints.com>, Joseph Sutton <josephsutton@...alyst.net.nz>, Nicolas Williams
	<nico@...sigma.com>, "Roberto C. Sánchez" <roberto@...exian.com>, Salvatore Bonaccorso <carnil@...ian.org>
Subject: \[vs\] heimdal: CVE-2022-45142: signature validation failure

(Resent with proper subject tag)

CVE-2022-3437 was a vulnerability affecting heimdal and samba. It was
fixed in both places. The fix included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0" comparisons to
the result of memcmp. When these patches were backported to the
heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a
logic inversion sneaked in causing the validation of message integrity
codes in gssapi/arcfour to be inverted.

This vulnerability does not affect samba nor the main heimdal branch and
only applies to backports. At least the 7.7.1 and 7.8.0 branches are
affected. CVE-2022-45142 has been assigned. All releases of Debian are
affected. At least one release of Fedora and Ubuntu are affected.

Timeline of events

2022-12-09 Issue discovered by me during backporting of patches
2022-12-09 Notified Debian security team
2022-12-09 Notified heimdal and samba
2022-12-09 Jeffrey Altman (heimdal) confirmed the problem
2022-12-10 Andrew Bartlett (samba) replied as not affected
2022-12-13 Patch v1
2022-12-13 Jeffrey Altman (heimdal) reviewed the patch
2022-12-13 Patch v2 (updated commit message)
2022-12-22 Last reply from heimdal (Jeffrey Altman) asking for more time
2022-12-25 Ping
2023-01-04 Ping
2023-01-13 Ping
2023-01-20 Ping and notified Ubuntu security team
2023-01-30 CVE-2022-45142 assigned
2023-01-31 Unilateral disclosure to distros mailinglist
2023-02-08 Proposed public disclosure to oss-sec

I would like to thank Salvatore Bonaccorso for handling most of the
coordination. Thanks also to go Jeffrey Altman and Andrew Bartlett for
their timely replies. My work on this issue is paid by Freexian SARL.

Patch below

Helmut

From: Helmut Grohne <helmut@...divi.de>
Subject: \[PATCH v3\] CVE-2022-45142: gsskrb5: fix accidental logic inversions

The referenced commit attempted to fix miscompilations with gcc-9 and
gcc-10 by changing \`memcmp(...)\` to \`memcmp(...) != 0\`. Unfortunately,
it also inverted the result of the comparison in two occasions. This
inversion happened during backporting the patch to 7.7.1 and 7.8.0.

Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
 for arcfour unwrap")
Signed-off-by: Helmut Grohne <helmut@...divi.de>
---
 lib/gssapi/krb5/arcfour.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Changes since v1:
 \* Fix typo in commit message.
 \* Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.

Changes since v2:
 \* Add CVE identifier.

diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
index e838d007a..eee6ad72f 100644
--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
@@ -365,7 +365,7 @@ \_gssapi\_verify\_mic\_arcfour(OM\_uint32 \* minor\_status,
 	return GSS\_S\_FAILURE;
     }

-    cmp = (ct\_memcmp(cksum\_data, p + 8, 8) == 0);
+    cmp = (ct\_memcmp(cksum\_data, p + 8, 8) != 0);
     if (cmp) {
 	\*minor\_status = 0;
 	return GSS\_S\_BAD\_MIC;
@@ -730,7 +730,7 @@ OM\_uint32 \_gssapi\_unwrap\_arcfour(OM\_uint32 \*minor\_status,
 	return GSS\_S\_FAILURE;
     }

-    cmp = (ct\_memcmp(cksum\_data, p0 + 16, 8) == 0); /\* SGN\_CKSUM \*/
+    cmp = (ct\_memcmp(cksum\_data, p0 + 16, 8) != 0); /\* SGN\_CKSUM \*/
     if (cmp) {
 	\_gsskrb5\_release\_buffer(minor\_status, output\_message\_buffer);
 	\*minor\_status = 0;
--
2.38.1

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-45142: security - [vs] heimdal: CVE-2022-45142: signature validation failure

Debian Linux Security Advisory 5369-1 - It was discovered that an integer overflow in the RFC3164 parser of syslog-ng, a system logging daemon, may result in denial of service via malformed syslog messages.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5369-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 05, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : syslog-ngCVE ID         : CVE-2022-38725It was discovered that an integer overflow in the RFC3164 parser ofsyslog-ng, a system logging daemon, may result in denial of servicevia malformed syslog messages.For the stable distribution (bullseye), this problem has been fixed inversion 3.28.1-2+deb11u1.We recommend that you upgrade your syslog-ng packages.For the detailed security status of syslog-ng please refer toits security tracker page at:https://security-tracker.debian.org/tracker/syslog-ngFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQE698ACgkQEMKTtsN8TjbwMA//fjYv/pxioC2xcpMfa4gXASqjjVEHcxm5SJDjfb31LhSn4U7YtcMu/Bl7DdMGZXEEveoPdq5jIq1oI7/7stW/C92rzsfpEsTC27nufvlaXBZCZrVrggiK3jJeaso+96H54iUf1L6fAPy+E1U3hQxKpQbK1UwelOD5SnSjTTBkh2HixIgZmcPojnb6X8zUTrsPWqpiOKibvH1RsH1JSGQW5wFj1ooUJHitS6wi4hE+yrOAGX3mzINpfxN2RMWA2190IDrNSM34dakvdNtkGCCviPMINW7Z9fJ9NIj83CRvzEXHZzKArqqmR0KcnQ9nclQP7HSaCbMu+84uMP/iebjr9b5P1P5lGVOF/yykN335XoEnPQkRBKjZEXjrfC+cckhhfAH6/xLB/FQwvKCvrO5v5skQofoEO0t2dTWZS6Mhib+wqWKg+MMvxE11cyPHquNe1B+SFdypWpKXfMYww223y3fidN1WLdCt5wOIj9PP7a0FyJWMwO9VQUCNeC9W47FQqh9hul+tvfGHKSd+9gqXZH0gaKDyqbsym7BAWt+yxftDXqZuRTKMytJ53206W0jwF9lzGag3xa39PqxH6gjC1PrT5k+4lijDbHlQFjBXBegYQI4F/YUbnYqoEcvCB9iq68tSMlpB2pafqPIB+pg465Z9Tqtdl5VZbgmzERQm46c=X2eM-----END PGP SIGNATURE-----

Debian Security Advisory 5369-1

Debian Linux Security Advisory 5368-1 - It was discovered that the libreswan IPsec implementation could be forced into a crash/restart via malformed IKEv2 packets after peer authentication, resulting in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5368-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMarch 03, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libreswanCVE ID         : CVE-2023-23009Debian Bug     : 1031821It was discovered that the libreswan IPsec implementation could beforced into a crash/restart via malformed IKEv2 packets after peerauthentication, resulting in denial of service.For the stable distribution (bullseye), this problem has been fixed inversion 4.3-1+deb11u3.We recommend that you upgrade your libreswan packages.For the detailed security status of libreswan please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/libreswanFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQCUIxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0R+XA/8C9tcRpaDWv6IsxJam+6YPviUXdUGQ6NgJOSxes7NHjl4mdYbJm/xUrm/nM4C272cHbhfd/RJf/TqZM+aPvJ6ohcq6OfgVQlef7ys92RDPrpyOq0jVyWzHI6O/CsRRMehgQD68Q5RAUe9CFxGDZ2YfI/+sEyts6bh0h4TStZbWWYSVO/ZhQvrLRbHevGBoHX6qNRu8PYTlkgDeBmDpHAuHE6s5IlTwldaFSZlxMI2DycRBEF7ZiqKPXGlgcn5gX0qQbfZOD9AlKEr5dlvMLQYE4AHWIgh35clwr7Nm/BqXP4QXGvMu4Of+djcu+z+OIRhJqgVOJ3+cYYu4NN6wwGs6ZJgKtYxEYRRepUo0/fomM4YDZery3LgaCA4HdbeW4oMbQm1az1VjwQBaOk1O0kKcA3Po87PRQCNSyZnus7f5IflT5G75tZn4HyUs54iYoo6jT3lZ1zS9STupO8TdmWdEQpo6RCoIh8h4b89/+Uv4g6LlvFilyT+cf7HZVC4sEJ8VW/eSg9PwNfcYWlEAzJeVZccUPatLLe6bKf6Hi4c9JTcnlITpExtd4qn4C4+5glzy910OGHjKXS2ljJCgVi+A9ch7Bndi7y07apYwh+yavbvppCbC6h5PauEPIPc4ElQHa7cTOUjIAj4M9fD1JtK0BSwQ17hAwDCRa8PYRmWAJ4=S2f1-----END PGP SIGNATURE-----

Debian Security Advisory 5368-1

Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.

    Android: GKI kernels contain broken non-upstream Speculative Page Faults MM codeA central recurring theme in Linux MM development is that contention on themmap lock can have a big negative performance impact on multithreaded workloads:If one thread is holding the mmap lock in exclusive mode for an extended amountof time, other threads will block as soon as they try to handle a page fault.Therefore there is a bunch of work to downgrade exclusive lock holders tonon-exclusive lock holders, shrink critical sections, and avoid holding the lockaltogether in some cases.One proposal to avoid holding the mmap lock in page fault handling are\"Speculative page faults (SPF)\"; here's a patch series from 2019 that had alreadygone through 11 rounds of review:<https://lore.kernel.org/lkml/20190416134522.17540-1-ldufour@linux.ibm.com/t/>This patch series didn't land at the time; but something along those lines mightland upstream in the next few years.But for some reason, Android decided that they need speculative page faultsimmediately, and merged the patches that were discussed on the upstream mailinglist into their GKI kernels. This is problematic for two reasons:A) The MM code is complicated and easy to get wrong.   If you run MM code that has not been through the fuzzing, testing and review   that committed upstream code gets, there's a higher chance of undiscovered   bugs.B) The SPF patches **change the rules** that MM code has to follow, so now   Android's version of MM has different rules than upstream MM.   This means that any patches in vaguely related parts of upstream MM need to   be checked by an Android engineer to see if they conflict with Android's   special rules.As far as I can tell, there are a bunch of memory safety bugs in the SPF versionthat is currently in AOSP's android13-5.10 branch (at commit 232bdcbd660b):1. handle_pte_fault() calls pmd_none() without protection against concurrent   page table deletion, leading to UAF read.2. do_anonymous_page() calls pte_alloc() without protection against concurrent   page table deletion, leading to UAF write.3. do_anonymous_page() calls pmd_trans_unstable() without protection against   concurrent page table deletion, leading to UAF read.4. do_swap_page() -> migration_entry_wait() -> __migration_entry_wait() operates   on a page table without protection against concurrent page table deletion,   leading to use-after-union-change read+write in struct page (on the page   table lock) and use-after-free read of a page table entry (resulting in bogus   page* calculation)5. do_wp_page() calls handle_userfault() without protection against concurrent   userfaultfd_release(), leading to UAF reads of some flags from   userfaultfd_ctx.   I think back when the SPF series was posted upstream, there might have been   sufficient protection against this (because ___handle_speculative_fault()   bails on VMAs with VM_UFFD_MISSING), but since then the WP userfaultfd   support was added, and ___handle_speculative_fault() doesn't bail on   VM_UFFD_WP. do_wp_page() also doesn't check the cached VMA flags, it uses   userfaultfd_pte_wp() which reads flags from the VMA.6. The way seqcounts are used to detect concurrent writers looks wrong.   The seqcount API requires that only one writer at a time can be in a   vm_write_begin() / vm_write_end() section, but these helpers are used in   codepaths that only hold the mmap lock in shared mode, so there can be   concurrent writers.   As far as I can tell, this means that when there are an even number of   concurrent writers, it will look as if there are no active writers.   This _probably_ doesn't have much security impact because all of the places   that do vm_write_begin() where concurrency would be an actual problem seem to   hold the mmap lock in exclusive mode?As an example, I tested issue 2. To reproduce this easily, I patched an extradelay into the kernel:```diff --git a/mm/memory.c b/mm/memory.cindex 83b715ed65775..35ce412d0a965 100644--- a/mm/memory.c+++ b/mm/memory.c@@ -84,6 +84,8 @@ #include <asm/tlb.h> #include <asm/tlbflush.h> +#include <linux/delay.h>+ #include \"pgalloc-track.h\" #include \"internal.h\" @@ -3819,6 +3821,12 @@ static vm_fault_t do_anonymous_page(struct vm_fault *vmf)        vm_fault_t ret = 0;        pte_t entry; +       if (strcmp(current->comm, \"SLOWME\") == 0 && (vmf->flags & FAULT_FLAG_SPECULATIVE)) {+               pr_warn(\"%s: BEGIN DELAY 0x%lx\\", __func__, vmf->address);+               mdelay(2000);+               pr_warn(\"%s: END DELAY 0x%lx\\", __func__, vmf->address);+       }+        /* File mapping without ->vm_ops ? */        if (vmf->vma_flags & VM_SHARED)                return VM_FAULT_SIGBUS;```Then, I ran this testcase on an x86 build with ASAN and CONFIG_PREEMPT:```#define _GNU_SOURCE#include <pthread.h>#include <err.h>#include <unistd.h>#include <sys/prctl.h>#include <sys/mman.h>// basic idea:// delete the 1G-covering page table while do_anonymous_page() is at its entry// point#define VMA_ADDR ((void*)0x40000000UL)#define VMA_SIZE (0x40000000UL)#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})static void *thread_fn(void *dummy) {  SYSCHK(prctl(PR_SET_NAME, \"SLOWME\"));  *(volatile char *)VMA_ADDR;  SYSCHK(prctl(PR_SET_NAME, \"spfthread\"));}int main(void) {  SYSCHK(mmap(VMA_ADDR, VMA_SIZE, PROT_READ|PROT_WRITE,                        MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));  SYSCHK(madvise(VMA_ADDR, VMA_SIZE, MADV_NOHUGEPAGE));  // create anon_vma and page tables  *(volatile char *)(VMA_ADDR+0x1000) = 1;  pthread_t thread;  if (pthread_create(&thread, NULL, thread_fn, NULL))    errx(1, \"pthread_create\");  sleep(1);  munmap(VMA_ADDR, VMA_SIZE);  if (pthread_join(thread, NULL))    errx(1, \"pthread_join\");  return 0;}```This first results in a UAF read of a PTE:```do_anonymous_page: BEGIN DELAY 0x40000000do_anonymous_page: END DELAY 0x40000000==================================================================BUG: KASAN: use-after-free in handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) Read of size 8 at addr ffff88800f358000 by task SLOWME/724CPU: 12 PID: 724 Comm: SLOWME Not tainted 5.10.107-00033-g232bdcbd660b-dirty #215Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014Call Trace:dump_stack_lvl (lib/dump_stack.c:120) [...]print_address_description.constprop.0 (mm/kasan/report.c:257) [...][...]kasan_report.cold (mm/kasan/report.c:444 mm/kasan/report.c:460) [...]handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) [...]___handle_speculative_fault (./include/linux/memcontrol.h:686 mm/memory.c:5106) [...]__handle_speculative_fault (mm/memory.c:5148) [...]do_user_addr_fault (arch/x86/mm/fault.c:1320) [...]exc_page_fault (./arch/x86/include/asm/irqflags.h:157 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) [...]asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:571) RIP: 0033:0x55d52bfe41fb```Then pte_alloc() tries to lock the page table entry:```BUG: KASAN: use-after-free in do_raw_spin_lock (kernel/locking/spinlock_debug.c:83 kernel/locking/spinlock_debug.c:112) Read of size 4 at addr ffff88801a730004 by task SLOWME/724```and after that, it will write into the freed page table.From a security perspective, my recommendation is to fix this by reverting thespeculative page fault patches out of the GKI trees, since I believe that sucha divergence from upstream semantics is not maintainable. Looking through thecommit history of the AOSP android13-5.10 kernel branch also shows that a seriesof bugs have already been discovered that were introduced by SPF:81a1ae6b4395a ANDROID: mm: unlock the page on speculative fault retry88e4dbaf592d8 ANDROID: Make MGLRU aware of speculative faults320ffbea77113 ANDROID: mm: Fix page table lookup in speculative fault path729a79f366e5e ANDROID: fix mmu_notifier race caused by not taking mmap_lock during SPFc3cbea92297d5 ANDROID: mm: avoid writing to read-only elementsdd3f538bf715c ANDROID: x86/mm: fix vm_area_struct leak in speculative pagefault handlingcf397c6c269ac ANDROID: mm: sync rss in speculative page fault path531f65ae67382 ANDROID: mm: Fix sleeping while atomic during speculative page faultThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-02-01.Please note that, according to our disclosure policy, if Project Zero discoversa variant of a previously reported Project Zero bug, technical details of thevariant will be added to the existing Project Zero report (which may be alreadypublic) and the report will not receive a new deadline.Project Zero will consider new race conditions where the SPF fault path accessespage tables or the VMA without sufficient locking variants of this issue.This includes issues that are introduced after this bug is reported.For more details, seehttps://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.Related CVE Number: CVE-2023-20937.Found by: jannh@google.com

Android GKI Kernels Contain Broken Non-Upstream Speculative Page Faults MM Code

debmany in debian-goodies 0.88.1 allows attackers to execute arbitrary shell commands (because of an eval call) via a crafted .deb file. (The path is shown to the user before execution.)

**Debian Bug report logs - #1031267  
debmany: shell injection**

Reported by: Jakub Wilk <jwilk@jwilk.net>

Date: Tue, 14 Feb 2023 09:57:01 UTC

Severity: normal

Tags: confirmed, patch, pending, security

Found in version debian-goodies/0.88.1

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Tue, 14 Feb 2023 09:57:03 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: debian-goodies
Version: 0.88.1
Tags: security

debmany passes filenames from the .deb (which should be considered 
untrusted input) to eval.

I've attached proof-of-concept exploit.

-- 
Jakub Wilk

\[injection.deb (application/vnd.debian.binary-package, attachment)\]

**Information forwarded** to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Tue, 14 Feb 2023 10:06:07 GMT) (full text, mbox, link).

Message #6 received at 1031267@bugs.debian.org (full text, mbox, reply):

\* Jakub Wilk <jwilk@jwilk.net>, 2023-02-14 10:53:
>attached proof-of-concept exploit.

The code that generated the crafted .deb is here:
https://github.com/jwilk/crafted.deb/blob/master/gen-deb1031267-debmany

-- 
Jakub Wilk

**Information forwarded** to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Tue, 14 Feb 2023 14:57:02 GMT) (full text, mbox, link).

**Acknowledgement sent** to Axel Beckert <abe@debian.org>:  
Extra info received and forwarded to list. Copy sent to Javier Fernández-Sanguino Peña <jfs@debian.org>. (Tue, 14 Feb 2023 14:57:03 GMT) (full text, mbox, link).

Message #11 received at 1031267@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Control: tag -1 + confirmed

Hi Jakub,

thanks for the bug report.

Jakub Wilk wrote:
> debmany passes filenames from the .deb (which should be considered untrusted
> input) to eval.
>
> I've attached proof-of-concept exploit.

Thanks. Can reproduce it.

Given that the full path including the exploit code is always shown to
the user before the exploit actually runs, I consider the impact
rather low:

┌────────────────────────┤ Select a file (file:./injection.deb) ├────────────────────────┐
│                                                                                        │
│  usr/share/doc/$(cowsay${IFS}pwned>/dev/tty;sleep${IFS}inf)/changelog.gz changelog.gz  │
│                                                                                        │
│                      <Ok>                                 <Cancel>                     │
│                                                                                        │
└────────────────────────────────────────────────────────────────────────────────────────┘

Accordingly a severity of only "normal" seems fitting.

Should be fixed nevertheless. Will look into it.

		Regards, Axel
-- 
 ,''\`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
\`. \`'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  \`-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

\[signature.asc (application/pgp-signature, inline)\]

**Added tag(s) confirmed.** Request was from Axel Beckert <abe@debian.org> to 1031267-submit@bugs.debian.org. (Tue, 14 Feb 2023 14:57:03 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:  
Bug#1031267; Package debian-goodies. (Sun, 19 Feb 2023 04:51:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to Axel Beckert <abe@debian.org>:  
Extra info received and forwarded to list. Copy sent to Javier Fernández-Sanguino Peña <jfs@debian.org>. (Sun, 19 Feb 2023 04:51:03 GMT) (full text, mbox, link).

Message #18 received at 1031267@bugs.debian.org (full text, mbox, reply):

Control: tag -1 + patch pending

Hi Jakub,

found time to analyse this closer.

Axel Beckert wrote:
> Given that the full path including the exploit code is always shown to
> the user before the exploit actually runs, I consider the impact
> rather low:
> 
> ┌────────────────────────┤ Select a file (file:./injection.deb) ├────────────────────────┐
> │                                                                                        │
> │  usr/share/doc/$(cowsay${IFS}pwned>/dev/tty;sleep${IFS}inf)/changelog.gz changelog.gz  │
> │                                                                                        │
> │                      <Ok>                                 <Cancel>                     │
> │                                                                                        │
> └────────────────────────────────────────────────────────────────────────────────────────┘

And this even though $manpages (which holds a space separated list of
all files to offer) is — on purpose — unquoted when passing to the
selection program.

But the real culprit is the use of eval in lines 415, 422 and 424:

  414       debug "Opening manpage file: "\`printf "$mancmdline" "$PWD/$file"\` # comment
  415       eval $(printf "$mancmdline" "$PWD/$file")
  416       cd - >/dev/null
  417     else
  418       # other file (usr/share/doc)
  419       debug "Opening other file: "\`printf "$othercmdline" "$PWD/$return"\` # comment
  420       if \[\[ "$return" =~ \\.gz$ \]\]
  421       then
  422               eval $(printf "gzip -dc $PWD/$return | $othercmdline")
  423       else
  424               eval $(printf "$othercmdline" "$PWD/$return")
  425       fi

Eval is evil. Once again.

My first thought was to just exclude all files with shell special
characters, especially '$(' and friends. But

  apt-file search -n \\$\\( | fgrep /usr/share/doc/

shows that these are actually used (and fail with debmany due to the
issue reported by Jakub):

  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Maths/hex$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/chr$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/insert$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/lCase$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/lTrim$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/left$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/mid$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/replace$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/replaceSubstr$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/reverse$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/right$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/space$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/str$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/string$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/trim$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/typeOf$().html
  sdlbasic: /usr/share/doc/sdlbasic/english/sections/commands/Strings/uCase$().html

Additionally there are tons of files with just $ or any kind of brackets.

Just quoting them "properly" inside the eval and printf won't help as
you can always escape from there by just ending the according
quotation by adding a closing quote character into your file path.

In case of the ".gz" case in your example, it's easier to fix as you
can simply move "gzip -dc $PWD/$return |" out of the eval/printf.

But in the other cases it's less simple.

So I came up with the following fix which uses command instead of
eval, and bash pattern substitution to replace %s with the file name
instead letting printf inside an $() doing the substitution:

diff --git a/debmany/debmany b/debmany/debmany
index 7eeb68b..dfea6e9 100755
--- a/debmany/debmany
+++ b/debmany/debmany
@@ -96,6 +96,19 @@ Examples: debmany foo.deb  show manpages from a local package file foo.deb
   fi
 }
 
+replace\_percent\_s\_and\_execute() {
+  replacement="$1"
+  shift
+  declare -a cmdarr
+  cmdarr=($@)
+  debug "cmdarr before; ${cmdarr\[@\]}"
+  for i in ${!cmdarr\[@\]}; do
+    cmdarr\[$i\]="${cmdarr\[$i\]/\\%s/$replacement}"
+  done
+  debug "cmdarr after; ${cmdarr\[@\]}"
+  command "${cmdarr\[@\]}"
+}
+
 while \[ $# -gt 0 \]
 do
   case $1 in
@@ -377,6 +390,7 @@ else
   dpkg --fsys-tarfile "$file" | tar --wildcards -xf - $mandirs 2>/dev/null
   # find all manpage files
   manpages=\`find usr -type f 2>/dev/null|sort|sed -e 's|\$\[^/\]\*\$$|\\1 \\1|'\`
+  # | egrep -v '\[\\\`\\\\${}\*?;<>|\]'
 fi
 
 while true
@@ -412,16 +426,16 @@ do
         cd "$path"
       fi
       debug "Opening manpage file: "\`printf "$mancmdline" "$PWD/$file"\` # comment
-      eval $(printf "$mancmdline" "$PWD/$file")
+      replace\_percent\_s\_and\_execute "$PWD/$file" "$mancmdline"
       cd - >/dev/null
     else
       # other file (usr/share/doc)
       debug "Opening other file: "\`printf "$othercmdline" "$PWD/$return"\` # comment
       if \[\[ "$return" =~ \\.gz$ \]\]
       then
-              eval $(printf "gzip -dc $PWD/$return | $othercmdline")
+              gzip -dc "$PWD/$return" | replace\_percent\_s\_and\_execute '-' "$othercmdline"
       else
-              eval $(printf "$othercmdline" "$PWD/$return")
+              replace\_percent\_s\_and\_execute "$PWD/$return" "$othercmdline"
       fi
     fi
   else

This is now committed as
https://salsa.debian.org/debian/debian-goodies/-/commit/495eaafa94d2b4cbee4eed01cd78238e311d096b
but I'd be happy about a review before I upload.

I will also do some more testing on my side.

		Regards, Axel
-- 
 ,''\`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
\`. \`'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  \`-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

**Added tag(s) patch and pending.** Request was from Axel Beckert <abe@debian.org> to 1031267-submit@bugs.debian.org. (Sun, 19 Feb 2023 04:51:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Sun Mar 5 22:36:39 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2023-27635: #1031267 - debmany: shell injection

Debian Linux Security Advisory 5367-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5367-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondMarch 02, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : spipCVE ID         : CVE-2023-27372It was discovered that SPIP, a website engine for publishing, wouldallow a malicious user to execute arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 3.2.11-3+deb11u7.We recommend that you upgrade your spip packages.For the detailed security status of spip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/spipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmQAP4QACgkQEL6Jg/PVnWSHawgAm8iQlTcFT98cMImGBx8XTO70YPcgzIMK87mvmQn3NR30/dM9icfBVVu3l9Ks2mPa0yYIT0DTeXghTclf8hnJtOM2T4buRPD6po6ZyEgX5AlwN6xaZPAkYxiz+7GXiqYZAHAMShIZhhMr1CcIDsE093TC8dLdZFosSVtI7sylxTgbSlJl1xafhe6/6fhI2DcDr4ov7MrkfcjCT2BY9um/pH/L2lIKTDcHahgoxGf9wcurANtwHwHQsBNR3R5nxScH/1wTI53am6rPCYFuLGlGEcY6c2HyJPR3j3o+sUFYca+4fGNbmwuS8fOhhOgz19DTow374IwJU1qnoZjvrbB58g=ÌjC-----END PGP SIGNATURE-----

Debian Security Advisory 5367-1

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

  
CVE-2023-25544

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-24567

Dell NetWorker versions 19.5 and earlier contain 'RabbitMQ' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

  
CVE-2023-25544

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-24567

Dell NetWorker versions 19.5 and earlier contain 'RabbitMQ' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

7.5  
High

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Applicable platforms**

**Link to Update**

CVE-2023-25544

Dell NetWorker,  
NVE

19.5 and earlier versions

19.6 and later versions

Windows,  
Linux (CentOS, OEL, SuSE, Red Hat Enterprise Linux, Debian, Ubuntu, Fedora)

https://www.dell.com/support/home/en-ca/product-support/product/networker/drivers  
 

CVE-2023-24567

 

**NOTE:** Impacted components: NetWorker AuthC, NetWorker Server.

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Applicable platforms**

**Link to Update**

CVE-2023-25544

Dell NetWorker,  
NVE

19.5 and earlier versions

19.6 and later versions

Windows,  
Linux (CentOS, OEL, SuSE, Red Hat Enterprise Linux, Debian, Ubuntu, Fedora)

https://www.dell.com/support/home/en-ca/product-support/product/networker/drivers  
 

CVE-2023-24567

 

**NOTE:** Impacted components: NetWorker AuthC, NetWorker Server.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2023-03-01

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

NetWorker Family, NetWorker, NetWorker Series, NetWorker Module, Product Security Information

01 maalisk. 2023

Tag

#debian