QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.

Skip to content

GitLab

*   *   Why GitLab
    *   Pricing
    *   Contact Sales
    *   Explore
    
*   Why GitLab
*   Pricing
*   Contact Sales
*   Explore

*   Sign in
*   Register

*   Thomas Huth
*   QEMU
*   Commits
*   3f911044

**Commit 3f911044** authored Aug 17, 2023 by  **Thomas Huth**

Browse files

**hw/scsi/scsi-disk: Disallow block sizes smaller than BDRV\_SECTOR\_SIZE**

We are doing things like

    nb\_sectors /= (s->qdev.blocksize / BDRV\_SECTOR\_SIZE);

in the code here (e.g. in scsi\_disk\_emulate\_mode\_sense()), so if
the blocksize is smaller than BDRV\_SECTOR\_SIZE (=512), this crashes
with a division by 0 exception. Thus disallow block sizes of 256
bytes to avoid this situation.

Resolves: qemu-project/qemu#1813

Signed-off-by: Thomas Huth <thuth@redhat.com\>

parent e3ea247f

*   Changes 1

Hide whitespace changes

Inline Side-by-side

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2023-42467: hw/scsi/scsi-disk: Disallow block sizes smaller than BDRV_SECTOR_SIZE (3f911044) · Commits · Thomas Huth / QEMU · GitLab

To help government agencies and regulated industries embrace cloud-native innovation at scale while enhancing their security posture, we are pleased to announce the publication of the Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA) for Red Hat OpenShift 4. The guide is available for download at the Department of Defense (DoD) Cyber Exchange.

As containers continue to grow in adoption, the number of vulnerabilities and regulatory concerns has increased exponentially. According to Red Hat’s 2023 State of Kubernetes Security Report, 67% of re

To help government agencies and regulated industries embrace cloud-native innovation at scale while enhancing their security posture, we are pleased to announce the publication of the Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA) for Red Hat OpenShift 4. The guide is available for download at the Department of Defense (DoD) Cyber Exchange.

As containers continue to grow in adoption, the number of vulnerabilities and regulatory concerns has increased exponentially. According to Red Hat’s 2023 State of Kubernetes Security Report, 67% of respondents report they have had to slow down cloud-native adoption due to security concerns. However, the need for rigorous security measures and compliance controls doesn’t mean organizations need to place digital transformation efforts on hold.

**Scaling innovation while focusing on security**

Managing security is a continuous process. Red Hat OpenShift is designed to support how government agencies work in a digital world, enabling Kubernetes-based applications to be developed and deployed more quickly while prioritizing security posture and compliance measures. Red Hat OpenShift is a single application platform for building and scaling containerized applications or modernizing existing applications. Red Hat OpenShift helps you build security into your applications by shifting security to the left, automate policies that let you manage container deployment security, and protects cloud-native applications at runtime. Additionally, Red Hat OpenShift Platform Plus builds on the capabilities of Red Hat OpenShift with:

*   Red Hat Advanced Cluster Management for Kubernetes, which provides multicluster management, end-to-end visibility, and control of your Kubernetes clusters.
*   Red Hat Advanced Cluster Security for Kubernetes, which provides Kubernetes-native security with DevSecOps capabilities to protect the software supply chain, infrastructure, and workloads.
*   Red Hat Quay, a globally-distributed and scalable registry with advanced access control and security scanning.

**Customers benefits**

Using the critical security guidance, organizational approvals will be more attainable to get systems in production faster for security-conscious computing in a variety of regulated industries, from energy and banking to government and defense.

Key benefits include:

*   Customers can now deploy Red Hat OpenShift with greater assurance that it complies with STIG security guidelines. 
*   STIG for Red Hat OpenShift includes a number of controls that cover not just Red Hat OpenShift, but also the underlying Red Hat CoreOS, upon which the OpenShift node is built.
*   Administrators automatically assess compliance of both the Kubernetes resources of Red Hat OpenShift, as well as the nodes running the cluster. The latest Compliance Operator, expected to be available later this month, uses OpenSCAP, a NIST-certified tool, to scan clusters for compliance with a range of security policies. Administrators can also use the Compliance Operator to automatically remediate clusters to achieve compliance with the profile.

"Red Hat has long been a leader in security for enterprise open source solutions and continues to evolve to set new standards in securing cloud-native environments,” said Vincent Danen, vice president, Product Security, Red Hat. “With the publication of the DISA STIG for Red Hat OpenShift 4, agencies and organizations can build, deploy, and operate a wide range of applications across the hybrid cloud with the assurance that it is in compliance with STIG security guidelines."

Red Hat is committed to bringing the industry’s leading hybrid cloud application platform powered by Kubernetes to government agencies and regulated industries that want to embrace open hybrid cloud while meeting the stringent requirements of sensitive workloads. This announcement follows additional recent certifications and attestations, including the release of the first Ansible STIG, the announcement of Red Hat OpenShift on AWS prioritization for FedRAMP JAB, and an assessment of Red Hat OpenShift Service on AWS through the InfoSec Registered Assessors Program (IRAP). 

**Download today**

Get started today with a modern, scalable approach to enhancing security for the entire application platform stack with the Red Hat OpenShift 4 DISA STIG.

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.

Read full bio

DISA STIG for Red Hat OpenShift is now available

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1.-git.

Expand Up @@ -292,7 +292,7 @@ public function uploadForm($filename, $allowed\_size = 0, $destination = false) { $dest\_size = (int) $\_FILES\[$filename\]\['size'\]; $dest\_name = files\_sanitize\_name($\_FILES\[$filename\]\['name'\]);  
$file = new cmsUploadfile($source, $this\->allowed\_mime); $file = cmsUploadfile::fromPath($source, $this\->allowed\_mime);  
if (!$file\->isAllowed()) { return \[ Expand Down Expand Up @@ -341,12 +341,12 @@ public function uploadFromLink($post\_filename, $allowed\_size = 0, $destination =  
$link = $file\_name = trim($\_POST\[$post\_filename\]);  
$url\_data = parse\_url($link);  
// Валидный URL с PATH if ( // Валидный URL с PATH filter\_var($link, FILTER\_VALIDATE\_URL, FILTER\_FLAG\_PATH\_REQUIRED) !== $link || // По IP адресу не разрешаем preg\_match('#^(?:(?:https?):\\/\\/)(\[0-9\]{1,3}\\.\[0-9\]{1,3}\\.\[0-9\]{1,3}\\.\[0-9\]{1,3}).\*#ui', $link) empty($url\_data\['host'\]) ) {  
return \[ Expand All @@ -357,6 +357,32 @@ public function uploadFromLink($post\_filename, $allowed\_size = 0, $destination = \]; }  
// Узнаём ipv4 адрес хоста, gethostbyname умеет только ipv4 $host\_ip = gethostbyname($url\_data\['host'\]); // Не зарезольвили if ($host\_ip === $url\_data\['host'\]) { return \[ 'success' => false, 'error' => 'Not allowed', 'name' => '', 'path' => '' \]; }  
// Проверяем вхождение в зарезервированные сети if(filter\_var( $host\_ip, FILTER\_VALIDATE\_IP, FILTER\_FLAG\_IPV4 | FILTER\_FLAG\_NO\_PRIV\_RANGE | FILTER\_FLAG\_NO\_RES\_RANGE ) !== $host\_ip){ return \[ 'success' => false, 'error' => 'Not allowed', 'name' => '', 'path' => '' \]; }  
// проверяем редирект и имя файла $curl = curl\_init(); curl\_setopt($curl, CURLOPT\_PROTOCOLS, CURLPROTO\_HTTPS | CURLPROTO\_HTTP); Expand All @@ -374,8 +400,7 @@ public function uploadFromLink($post\_filename, $allowed\_size = 0, $destination = $url = trim($matches\[1\]);  
if (strpos($url, 'http') !== 0) { $url\_data = parse\_url($link); $link = $url\_data\['scheme'\] . '://' . $url\_data\['host'\] . $url; $link = $url\_data\['scheme'\] . '://' . $url\_data\['host'\] . $url; } else { $link = $url; } Expand Down Expand Up @@ -442,7 +467,7 @@ public function uploadXHR($filename, $allowed\_size = 0, $destination = false) { \*/ private function saveFileFromString($file\_bin, $allowed\_size, $destination, $dest\_name) {  
$file = new cmsUploadfile($file\_bin, $this\->allowed\_mime); $file = cmsUploadfile::fromString($file\_bin, $this\->allowed\_mime);  
if (!$file\->isAllowed()) { return \[ Expand Down

CVE-2023-4879: Fixed xss in admin panel, complete fix SSRF in upload by link, option… · instantsoft/icms2@d0aeeaf

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository hamza417/inure prior to build92.

CVE-2023-4876: huntr – Security Bounties for any GitHub repository

Expand Up

@@ -76,6 +76,7 @@

android:theme\="@style/Inure"

android:windowSoftInputMode\="adjustPan"

tools:ignore\="AllowBackup"

android:taskAffinity\="app.simple.inure"

tools:targetApi\="tiramisu"\>

  

<profileable android:shell\="true" />

Expand Down Expand Up

@@ -107,7 +108,6 @@

android:exported\="true"

android:label\="@string/terminal"

android:launchMode\="singleTask"

android:taskAffinity\="app.simple.inure"

android:windowSoftInputMode\="adjustResize" />

  

<activity

Expand Down

CVE-2023-4877: Build92 · Hamza417/Inure@09762e8

OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.

Historically, PMIx has operated as a library at the user level in relatively controlled environments (i.e., the typical high-performance computing cluster embedded in a protected network, and thus not exposed to the general Internet). This situation has changed, however, as system management stack packages and other software operating at privileged levels have begun to operate PMIx servers. Increasingly, the PMIx library finds itself in situations where its communications are between entities at different privilege levels (e.g., between root and user) and operating on head nodes with direct connection to more exposed networks.

The PMIx community takes security associated with use of its library seriously, recognizing that our ability to respond to concerns is bound by our limited access to volunteer resources. We deeply appreciate coordinated efforts done in partnership with our reporters as these have the highest probability for a successful and satisfactory resolution. Reports that simply state something is wrong while providing no assistance in triaging the problem or developing the solution will be treated seriously, but with correspondingly longer response times.

PMIx does not have formal, contractual relationships with its users. Instead, we have informal relationships with downstream packagers (e.g., Debian, Fedora, SUSE), resource managers (e.g., Slurm, PBS, PALS), and libraries (e.g., Open MPI, MPICH, OpenSHMEM, PGAS). This quite frequently takes the form of individuals as opposed to organizational contacts. Thus, it isn’t possible for the PMIx community to offer any guarantees as to the breadth or immediacy of notification for security issues. We can only do our best to alert the people we know about, and hope that they spread the word as required.

Our vulnerability disclosure process reflects this situation. While we strongly encourage discoverers to report potential security issues to us and follow our process, we will respect their wishes and work with them in cases where their preferred process may vary.

NOTE: any potential security issue should be reported immediately to us at security@pmix.org

**14.1. Vulnerability Disclosure Process**

This process covers security issues pertaining to the PMIx library itself. Issues with closely related components — such as libevent, HWLOC, MUNGE or third-party plugins — may be raised with us and we will work with the reporter to identify the appropriate contacts and coordinate disclosure.

The PMIx Vulnerability Disclosure Process consists of several distinct, but possibly overlapping steps:

1.  Problem identification and initial triage.
    
    The problem is reported to the community and a first-level triage performed. Primary focus here is on scoping the extent of the issue so it can properly be communicated (both in terms of severity and complexity to address) to the rest of the community.
    
2.  Notification and embargo
    
    Once the problem has been triaged, it will be communicated to the known consumers of the PMIx library (as noted above). This will be done in a private manner and all informed will be asked to maintain that privacy during the embargo period. The purpose of this step is to ensure the timely notification of the problem without alerting potential bad players as to the vulnerability, thus giving the community time to respond to the problem. The community will use this period to assemble a team to address the problem.
    
    The embargo period is expected to continue during the entire time work is being performed towards a resolution of the problem. The PMIx community, of course, has no control over the actions of its members or users, and therefore cannot guarantee confidentiality throughout the resolution process. However, the community will request best efforts from all involved due to the shared interest.
    
3.  Private release
    
    Once a solution to the problem has been devised, a new release of the library will be made that includes the fix. This will first be made available to the known consumers of the library, as well as the initial reporter if not a member of that list. A reasonable amount of time will be provided (as defined by general discussion across the involved parties) for rollout to occur through the participants. The embargo on public discussion will be maintained throughout this step.
    
4.  General release
    
    At this point, the embargo will be lifted and a general announcement (including email to the PMIx mailing lists) of the problem and availability of the solution will be made. All users will be urged to update as quickly as possible. All vulnerable releases will be removed from the GitHub release pages, though the tags corresponding to those releases will be retained for historical purposes.
    

**14.2. Software Authenticity and Integrity**

Authenticity and integrity of PMIx software should always be confirmed by computing the checksum of the archive and comparing it with the value listed on the GitHub release page. Assuming you downloaded the file pmix-4.2.2.tar.bz2, you can run the sha1sum command like this:

shell$ sha1sum pmix-4.2.2.tar.bz2

Check that the output matches what is printed in the release announcement, which may look like this:

b4e1cb79dfd94c1b9db8eaba02f725c07ef9df2b  pmix-4.2.2.tar.bz2

To avoid having to manually compare the string, you may use the sha1sum -c parameter as follows:

echo 'b4e1cb79dfd94c1b9db8eaba02f725c07ef9df2b  pmix-4.2.2.tar.bz2'|sha1sum \-c

CVE-2023-41915: 14. OpenPMIx Security Policy — OpenPMIx latest documentation

Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12

From a4752eb0ae0a521eec02e59e51ae5daedf74fda0 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Sun, 3 Sep 2023 14:11:48 +0800 Subject: \[PATCH\] Fix write\_one\_header() illegal header check. This is another crash caused by the rfc2047 decoding bug fixed in the second prior commit. In this case, an empty header line followed by a header line starting with ":", would result in t==end. The mutt\_substrdup() further below would go very badly at that point, with t >= end+1. This could result in either a memcpy onto NULL or a huge malloc call. Thanks to Chenyuan Mi (@morningbread) for giving a working example draft message of the rfc2047 decoding flaw. This allowed me, with further testing, to discover this additional crash bug. --- sendlib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sendlib.c b/sendlib.c index 763bff41..204b1308 100644 --- a/sendlib.c +++ b/sendlib.c @@ -2130,7 +2130,7 @@ static int write\_one\_header (FILE \*fp, int pfxw, int max, int wraplen, else { t = strchr (start, ':'); - if (!t || t > end) + if (!t || t >= end) { dprint (1, (debugfile, "mwoh: warning: header not in " "'key: value' format!\\n")); -- GitLab

CVE-2023-4874

Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12

From 4cc3128abdf52c615911589394a03271fddeefc6 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Mon, 4 Sep 2023 12:50:07 +0800 Subject: \[PATCH\] Check for NULL userhdrs. When composing an email, miscellaneous extra headers are stored in a userhdrs list. Mutt first checks to ensure each header contains at least a colon character, passes the entire userhdr field (name, colon, and body) to the rfc2047 decoder, and safe\_strdup()'s the result on the userhdrs list. An empty result would from the decode would result in a NULL headers being added to list. The previous commit removed the possibility of the decoded header field being empty, but it's prudent to add a check to the strchr calls, in case there is another unexpected bug resulting in one. Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr crashes, giving a working example draft message, and providing the stack traces for the two NULL derefences. --- sendlib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sendlib.c b/sendlib.c index c2283972..763bff41 100644 --- a/sendlib.c +++ b/sendlib.c @@ -2418,7 +2418,7 @@ int mutt\_write\_rfc822\_header (FILE \*fp, ENVELOPE \*env, BODY \*attach, char \*date, /\* Add any user defined headers \*/ for (; tmp; tmp = tmp->next) { - if ((p = strchr (tmp->data, ':'))) + if ((p = strchr (NONULL (tmp->data), ':'))) { q = p; @@ -2466,7 +2466,7 @@ static void encode\_headers (LIST \*h) for (; h; h = h->next) { - if (!(p = strchr (h->data, ':'))) + if (!(p = strchr (NONULL (h->data), ':'))) continue; i = p - h->data; -- GitLab

CVE-2023-4875

A vulnerability has been found in IBOS OA 4.5.5 and classified as critical. This vulnerability affects unknown code of the file ?r=dashboard/position/edit&op=member. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239260.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-4851: cve/sql.md at main · liuqiba12345678/cve

Spyware masquerading as modified versions of Telegram have been spotted in the Google Play Store that’s designed to harvest sensitive information from compromised Android devices.
According to Kaspersky security researcher Igor Golovin, the apps come with nefarious features to capture and exfiltrate names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server.
The

Mobile Security / Spyware

Spyware masquerading as modified versions of Telegram have been spotted in the Google Play Store that's designed to harvest sensitive information from compromised Android devices.

According to Kaspersky security researcher Igor Golovin, the apps come with nefarious features to capture and exfiltrate names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server.

The activity has been codenamed **Evil Telegram** by the Russian cybersecurity company.

The apps have been collectively downloaded millions of times before they were taken down by Google. Their details are as follows -

*   電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) - 10 million+ downloads
*   TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) - 50,000+ downloads
*   电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) - 50,000+ downloads
*   电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) - 10,000+ downloads
*   ئۇيغۇر تىلى TG - تېلېگرامما (org.telegram.messenger.wcb) - 100+ downloads

The last app on the list translates to "Telegram - TG Uyghur," indicating a clear attempt to target the Uyghur community.

It's worth noting that the package name associated with the Play Store version of Telegram is "org.telegram.messenger," whereas the package name for the APK file directly downloaded from Telegram's website is "org.telegram.messenger.web."

The use of "wab," "wcb," and "wob" for the malicious package names, therefore, highlights the threat actor's reliance on typosquatting techniques in order to pass off as the legitimate Telegram app and slip under the radar.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

"At first glance, these apps appear to be full-fledged Telegram clones with a localized interface," the company said. "Everything looks and works almost the same as the real thing. \[But\] there is a small difference that escaped the attention of the Google Play moderators: the infected versions house an additional module:"

The disclosure comes days after ESET revealed a BadBazaar malware campaign targeting the official app marketplace that leveraged a rogue version of Telegram to amass chat backups.

Similar copycat Telegram and WhatsApp apps were uncovered by the Slovak cybersecurity company previously in March 2023 that came fitted with clipper functionality to intercept and modify wallet addresses in chat messages and redirect cryptocurrency transfers to attacker-owned wallets.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git